[BreachExchange] SolarWinds hackers breach Microsoft support agent to target customers

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Mon Jun 28 11:57:13 EDT 2021


https://www.itpro.co.uk/security/cyber-attacks/360017/solarwinds-hackers-target-microsoft-customers

Microsoft has confirmed that some of its customers have been targeted by
the Russian state-backed hacking group responsible for last year’s
SolarWinds cyber attack after successfully compromising an employees'
computer.

Known as Nobelium, the group was found to have engaged in “password spray
and brute-force attacks” on the tech giant’s customers.

The hackers implanted “information-stealing malware” on a device belonging
to a Microsoft customer support agent, through which they obtained “basic
account information for a small number of [Microsoft’s] customers”,
according to the firm.

They then “used this information in some cases to launch highly-targeted
attacks as part of their broader campaign”.

“We responded quickly, removed the access and secured the device,” said
Microsoft, adding that while the attacks were “mostly unsuccessful”,
hackers managed to compromise three of its customers.

"This recent activity was mostly unsuccessful, and the majority of targets
were not successfully compromised – we are aware of three compromised
entities to date," the Microsoft Security Response Center team announced in
a blog post. "All customers that were compromised or targeted are being
contacted through our nation-state notification process.

Around 10% of the targeted customers were UK-based, with the hackers mostly
focusing on “US interests”. The majority of the targets were “IT companies
(57%), followed by government (20%), and smaller percentages for
non-governmental organisations and think tanks, as well as financial
services”.

Overall, the hackers targeted organisations from 36 countries, the tech
giant stated, adding that it recommends that customers enable multi-factor
authentication in order “to protect their environments from this and
similar attacks”.

The news comes weeks after Nobelium launched a wave of attacks on more than
150 government agencies, think tanks, consultants, and NGOs from 24
countries, targeting an estimated 3,000 email accounts.

Microsoft's corporate VP of Customer Security & Trust, Tom Burt, said at
the time that Nobelium's main objective is to "gain access to trusted
technology providers and infect their customers". The hacking group’s
activities also tend to coincide with the "issues of concern to the country
from which they are operating", according to the cyber security expert.

"This is yet another example of how cyber attacks have become the tool of
choice for a growing number of nation-states to accomplish a wide variety
of political objectives, with the focus of these attacks by Nobelium on
human rights and humanitarian organisations," Burt added.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210628/0aad8392/attachment.html>


More information about the BreachExchange mailing list