The allegedly Russian hackers behind the compromise of SolarWinds’ IT management software have apparently gained access to a Microsoft support agent’s tools to target primarily IT companies as part of a larger series of attacks that included phishing and brute force.
This is new activity from the hacking group that Microsoft calls Nobelium, the same group attributed to the compromise of SolarWinds’ Orion IT management platform that primarily targeted government agencies and adjacent entities.
These new attacks do not involve SolarWinds or its customers in any way, a SolarWinds spokesperson told us via email.
According to Microsoft, the group compromised a Microsoft customer support and was able to install information-stealing malware on a machine belonging to a customer support agent that had access to basic account information for “a small number” of Microsoft customers.
That information was used to launch highly targeted attacks as part of Nobelium’s broader campaign that includes other tactics like password spray and brute-force attacks.
According to the company, 57% of the targets were IT companies, 20% were in government and the remainder included think tanks and financial services. Most of the activity was in the U.S. with other targets in Europe and Canada.
In a Microsoft Security Response Center blog, the company said it quickly removed the access and secured the device.
“The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust “least privileged access” approach to customer information,” Microsoft said in the blog. “We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.”
According to Microsoft, only three entities have been compromised via this recent activity. Customers who are compromised or targeted are being contacted through Microsoft’s nation-state notification process.
The company’s security response team also called on IT professionals to implement security best practices, including identity access management, zero trust and least-privilege access models to help ensure that only legitimate users are accessing your organization’s data.
This activity follows Nobelium’s compromise of the SolarWinds platform and another phishing campaign using the U.S. Agency for International Development’s email marketing tool which included information-stealing malware.
This article has been updated to reflect comments from a SolarWinds spokesperson.
Leave a Reply