Background triangle
Limebite 07/21

Microsoft warns of recent activity by Nobelium focused on IT Companies

Nitesh Patel
Nitesh Patel, Thomas Chapman

In late June 2021, Microsoft revealed through its Security Response Center (SRC) and other avenues that the Nobelium threat actor has been targeting its customers across 36 countries with password spray and brute-force attacks.

Microsoft detected malware on the system of a customer support agent that contained basic account information for some customers. It is suspected that Nobelium used this information to launch tailored and targeted attacks.

The majority of the targets were IT companies, which are an increasing focus for threat actors who see them as a conduit to access and compromise many more businesses. While Microsoft has said that Nobelium’s recent conduct was largely unsuccessful, it confirmed that 3 entities had been compromised.

This latest activity by Nobelium follows an update by Microsoft in May 2021 about a wave of phishing attacks it conducted. Significantly, Nobelium is suspected to be behind the highly sophisticated SolarWinds supply chain attack that was identified in late 2020.

Due to its sophistication, the SolarWinds incident remained undetected for many months and impacted a number of SolarWinds’ clients, which included many large companies and government agencies. Nobelium gained access to SolarWind’s environment and added malicious code into an update for SolarWind’s Orion software (widely used to manage IT resources). When the update was downloaded and deployed, it installed malware onto client systems that granted unauthorised access to the impacted systems.

The latest warning is another reminder for Microsoft customers, but also to businesses generally and especially IT companies, to have robust cyber security measures in place to mitigate cyber risk. The 2 attack methods identified by Microsoft rely on deficiencies in password hygiene and a failure to properly implement multi factor authentication. Microsoft, as part of best practice security, also recommends implementing a Zero-trust architecture, identity access management and least-privilege access models.

More broadly, businesses should look to implement the Australian Cyber Security Centre’s Essential 8 as a base standard of measures. Businesses that rely on an IT provider for the maintenance and upkeep of their systems need to have an urgent conversation about the adequacy of the cyber security measures in place and whether specialist services are needed.

Having adequate cyber defences is imperative to limiting the risk of compromise, minimising costly downtime and facilitating prompt data recovery for business continuity and resilience.

If you need help to gauge or improve your cyber resilience, or to deal with a cyber incident, we can assist with a range of services and expertise.

To read the Microsoft SRC release, click here.

To stay updated with our Limebites, please share and follow the author on Linkedin.

This publication constitutes a summary of the information of the subject matter covered. This information is not intended to be nor should it be relied upon as legal or any other type of professional advice. For further information in relation to this subject matter please contact the author.