IT companies have made up the majority of organisations targeted amid new activity by the group behind last year’s SolarWinds supply-chain attack, with at least one victim coming from Microsoft’s customer support ranks.
On 25 June, the Microsoft Threat Intelligence Centre said it was tracking new activity from the Nobelium threat actor – as Microsoft has dubbed the group – with the vendor observing password spray and brute-force attacks, among other potential methods and tactics.
While the recent activity was mostly unsuccessful, it was targeted at specific customers, mostly IT companies, which comprised 57 per cent of total targets. The IT segment was followed by government, which comprised 20 per cent of targets, and smaller percentages for non-governmental organisations and think tanks, as well as financial services.
In total, 36 countries were targeted, but the activity was largely focused on US interests, which claimed about 45 per cent, followed by 10 per cent in the UK, and smaller numbers from Germany and Canada.
Although Microsoft claims the majority of targets were not successfully compromised, the company said it was aware of at least three compromised entities to date.
“All customers that were compromised or targeted are being contacted through our nation-state notification process,” the Microsoft Security Response Centre team said in a blog post.
As part of Microsoft’s investigation into the latest activity by the Nomelium threat actor, Microsoft revealed it had also detected information-stealing malware on a machine belonging to one of its own customer support agents with access to basic account information for a small number of its customers.
“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” the company said. “We responded quickly, removed the access and secured the device.
“The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our zero trust ‘least privileged access’ approach to customer information.
“We are notifying all impacted customers and are supporting them to ensure their accounts remain secure,” it added.
Microsoft stressed that the latest activity by the threat actor reinforces the importance of best practice security precautions such as zero trust architecture and multi-factor authentication.
US cyber security firm FireEye revealed late last year it had become a victim of a “nation-state” cyber attack by a "highly sophisticated threat actor". The breach was part of a much larger attack carried out through malicious updates to a popular network monitoring product and impacted major government organisations and companies.
The attack involved hackers compromising the infrastructure of SolarWinds, which produces a network and applications monitoring platform called Orion, and then using that access to produce and distribute trojanised updates to the software's users.
By January this year, anti-malware software vendor Malwarebytes also became swept up in last year's attack on SolarWinds. The US-based vendor admitted it received notices of suspicious third-party activity from the Microsoft Security Response Centre on December 15.
According to Malwarebytes, these reflected tactics, techniques and procedures (TTPs) of the same advanced threat actor involved in the SolarWinds attacks, reportedly a hacking group linked to the Russian government.
In May this year, it was revealed the threat actor behind the SolarWinds hack had led a new targeted campaign spanning nearly 3,000 emails, with the group going after more than 150 organisations encompassing government agencies, think tanks, consultants and non-governmental organisations.
It should be noted that this new attack activity reported by Microsoft is unrelated to the previous 'SunBurst' attack on SolarWinds.
"The latest cyber attack reported by Microsoft does not involve our company or our customers in any way," a spokesperson for SolarWinds said.