In a recent development reflecting the persistent threat posed by Russian cyber actors, Microsoft has disclosed that the hackers behind the SolarWinds breach have resumed operations utilizing password spraying and brute-force methods to compromise customer accounts. This resurgence serves as a stark reminder that the attackers remain active and adept at evolving their strategies to infiltrate systems.
According to Microsoft’s Threat Intelligence Center, while the latest campaign saw numerous attempts to access customer accounts, the majority were unsuccessful. To date, it has been confirmed that three entities were compromised. Microsoft is in the process of notifying all affected customers through its nation-state alert protocol, underscoring the importance of transparency in cybersecurity incidents.
Reuters first reported on this wave of cyber activity, though the identities of the targeted organizations remain undisclosed. The intrusions have predominantly targeted IT firms, followed closely by government institutions, non-governmental organizations, think tanks, and financial service providers. Notably, around 45% of these attacks were concentrated in the United States, the United Kingdom, Germany, and Canada, indicating a focused geographical strategy by the adversaries.
Microsoft attributes these intrusions to a group it has dubbed Nobelium, which is associated with prior attacks on the SolarWinds supply chain. This group is also referred to within the cybersecurity community by various aliases, including APT29, UNC2452, and Dark Halo, among others. The multi-faceted identities reflect the complexity and reach of the adversary, complicating response strategies for organizations worldwide.
In addition to the ongoing compromise attempts, Microsoft reported the presence of information-stealing malware on a device belonging to one of its customer support agents. This access allowed the attackers to gather basic account information for a limited number of customers. Microsoft noted that this data was subsequently leveraged to execute targeted attacks, emphasizing the need for robust endpoint security measures.
The current wave of attacks follows an earlier incident where Nobelium exploited a compromised USAID account to distribute phishing emails to over 150 organizations across 24 countries. These emails facilitated the deployment of backdoors, enabling the threat actors to siphon valuable information from the targeted systems effectively.
Moreover, the recent disclosures highlight a troubling trend: this marks the second instance where the threat actors have launched direct campaigns against Microsoft. Earlier this February, the company revealed that the hackers had infiltrated its network, gaining access to source code related to multiple products and services.
In light of these evolving tactics, the U.S. Securities and Exchange Commission has initiated an investigation into the SolarWinds breach, probing whether affected organizations appropriately disclosed the incident—a crucial consideration for business leaders concerned about compliance and transparency in cybersecurity.
Throughout this incident, key MITRE ATT&CK tactics such as initial access, credential dumping, and execution have likely played critical roles in the attackers’ strategies. As organizations navigate this complex landscape, it is imperative for them to understand these techniques and employ comprehensive security measures to mitigate potential risks.
As the cybersecurity threat landscape continues to evolve, vigilance and proactive management of security protocols remain essential. Organizations must prioritize informed security practices to navigate the complexities introduced by sophisticated actors like Nobelium.
