Nobelium, the hacker group responsible for the cyberattack on SolarWinds late last year, is still active. They would have their sights set on technology companies and partners involved in cloud computing. Since last May, they have attacked more than 140 parties, with at least 14 casualties.
This is according to research by Microsoft.
Lead-up to the chain attack on SolarWinds
For the start of this case, we have to go back to December 2020. Cybersecurity company FireEye then said that hackers had managed to steal all kinds of scripts, scanners and tools. These could be used to carry out cyberattacks on unsuspecting victims. The Nobelium hackers broke into SolarWinds’ corporate network. They then exploited a vulnerability in Orion Network Management Tools. SolarWinds customers use this software to remotely monitor and maintain corporate networks, databases, servers and web applications.
The hackers installed a so-called backdoor in the SolarWinds software. This secret entrance was also called Sunburst. This is how the Nobelium hackers attacked SolarWinds customers. We also call this method a supply chain attack or chain attack.
The exact number of victims is still unknown. Initially, it was suggested that there were a total of 18,000 victims, including the US Departments of the Treasury, the Interior, Homeland Security, Economic Affairs, Justice and Defense. That number was soon reduced to more than 250 companies and organizations. According to SolarWinds, fewer than a hundred victims were killed as a result of the supply chain attack.
Nobelium focuses on cloud computing companies
Cyber security experts assume that Nobelium is responsible for the cyberattack on SolarWinds. The Russian secret service is said to have ordered the hackers collective to attack the American IT service provider. Russia has always denied the allegations. Russian Foreign Minister Sergei Lavrov dismissed the allegations as “an unwarranted attempt by the US media to blame Russia.”
Although the attack on SolarWinds has been repulsed, the hackers who carried out the attack are still active. Research by Microsoft shows that they have tried to make new victims. According to the American hardware and software company, the attackers are targeting companies and organizations involved in cloud computing this time. These are suppliers that supply products such as servers, databases and software to store data via the internet in the cloud.
Small number of victims due to Microsoft action
“We believe that Nobelium eventually hopes to piggyback on the direct access that vendors have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to access their downstream customers,” Tom wrote. Burt, vice president of Customer Security & Trust at Microsoft, in a security blog.
According to Burt, between May and October, members of Nobelium attacked more than 140 tech companies active in cloud computing. There were at least 14 victims, possibly even more. “Fortunately, we discovered this campaign early on, and we are sharing these developments to help cloud service resellers, technology vendors and their customers take timely steps to ensure Nobelium doesn’t become even more successful.”.
Burt says Microsoft warned a total of 609 customers between July 1 and October 19. In three-and-a-half months, they have been attacked 22,868 times by Nobelium. That is more than the number of warnings Microsoft issued in the past three years: in this period the counter stood at 20,500. However, the success rate was ‘in the single digits.
Hackers use new strategies
Microsoft emphasizes that this time Nobelium members have used different strategies to penetrate their victims’ corporate networks. At SolarWinds, they made use of exploits and other vulnerabilities in the software. For the past few months, they relied on techniques we are all familiar with, such as phishing and password spraying.
In password spraying, a hacker tries to take over an account by entering commonly used passwords. To make sure he doesn’t get caught, he tries the same password on multiple accounts. If it turns out that this password doesn’t work for any account, the attacker will switch to a second password. If this also does not work, a third password follows, and so on, until there is a match. By acting in this way, the perpetrator avoids blocking an account and avoiding being noticed.
According to Microsoft, governments in Europe and the United States should work together more closely to exchange knowledge and prevent repetition in the future.
Catch up on more articles here
Follow us on Twitter here