Microsoft has discovered new attacks performed by the Russian state-sponsored Nobelium hacking group which includes a Microsoft support agent’s computer exposing customer’s subscription information.
Nobelium is Microsoft’s name for a state-sponsored hacking group believed to be operating out of Russia responsible for the SolarWinds supply-chain attacks.
Microsoft states that the hacking group has been conducting password spray and brute-force attacks to gain access to corporate networks.
By using password spray and brute force attacks, the threat actors try to gain unauthorized access to an online account by guessing a password. In the password spray attacks, they attempt the same passwords across multiple accounts simultaneously to evade defenses. While in brute force attacks, a single account is targeted with different password attempts.
According to Microsoft, the recent attacks have been mostly unsuccessful. However, they are aware of three entities that were breached by Nobelium in these attacks.
In a blog post, the tech giant stated that this activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.
The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In total 36 countries were targeted.
On investigation, Microsoft detected an information-stealing trojan on a Microsoft customer support agent’s computer that provided access to “basic account information” for a limited number of customers.
The customer information is used in targeted phishing attacks against Microsoft customers.
Microsoft has sent an email to affected customers warning them that the threat actors gained access to information about their Microsoft Services subscriptions.
The Nobelium hacking group, also known as APT29, Cozy Bear, and The Dukes, has been attributed to the recent SolarWinds supply chain attack that compromised numerous US companies, including Microsoft, FireEye, Cisco, Malwarebytes, Mimecast, and various US government agencies.