Latest Russian espionage activity is broader than SolarWinds-style hacking effort, Microsoft’s Tom Burt says
An apparent espionage campaign from the same Russian hacking group that breached the U.S. federal contractor SolarWinds in 2020 differed from that incident — which sparked congressional hearings and a reckoning throughout the U.S. federal government — in significant ways, according to Tom Burt, Microsoft’s corporate vice president for customer security and trust.
The latest effort unveiled Sunday by Microsoft represents an example of how the group, which the company calls Nobelium and says is connected to the Kremlin’s SVR intelligence agency, targeted whole classes of companies, such at technology resellers and cloud service providers. The company said the intruders compromised 14 of the 140 service providers that were targeted, though investigators appear to have caught the effort relatively early, with Microsoft alerting government officials and publishing an advisory on the matter some five months after the activity appeared to begin. Attackers breached SolarWinds in January 2019, nearly two years before they were caught.
Malicious activity from Nobelium, also known as Cozy Bear, remains ongoing, according to Microsoft. It has aimed to infect a broader set of targets in the global supply chain, Burt said Monday during an interview with CyberScoop.
This conversation has been slightly edited for length and clarity.
CyberScoop: Can you break down the targets and victims further by industry or location?
Tom Burt: Well, not really. And I think that’s an important point that is maybe being missed a little bit in some of the coverage I’ve seen so far, which is in this particular case we caught this new campaign relatively early. Think of this as like SolarWinds, if we caught SolarWinds during the first couple of months that they were engaged in their campaign instead of many months later, after the same group that we call Nobelium, the Russian SVR, had successfully gotten into the networks of nine or 10 U.S. government agencies and looked at all their email for six months.
In this case, what we saw was this activity to create a new campaign to again go after the supply chain, but in a different way. What they’ve gone after are the cloud service resellers. And what we’ve seen is that they were attacking those cloud service resellers, as a platform, as a launchpad, to then go to the endpoint customers that they were really interested in for doing their surveillance and espionage work. And we know that the resellers that they targeted have customers that include government agencies and think tanks and academia, among many others.
It looks to us like they were trying to create this initial toehold, this launching pad, to conduct further espionage. The reason we wanted to publish — now that we had a good understanding of what they were doing — is so that people, both in this supply chain as well as their endpoint customers, could take steps to be aware of this, and protect themselves, so that we don’t have another SolarWinds.
CS: What makes the resellers an interesting, different or important target?
TB: They’re a really interesting target because they are another category of supply chain participants that typically have escalated privileges in the accounts of their customers. One of the reasons that these guys went after SolarWinds is because they did their research and they understood that the SolarWinds Orion software, because it was network management and optimization software, necessarily had high privileges within the customer networks that they worked with. The same thing is true of these cloud service resellers. They very typically will have some escalated privileges into their customer networks.
What Nobelium is doing, what this Russian SVR group is doing, is they’re looking for those links in the supply chain where they can go live. And remember these guys are really good with their operational security so once they get in, they like to stay there and hide. They wanted to get into some of these resellers networks, and then they could hide there and launch from there to the endpoints that they’re after.
This is really important because it’s a different piece of the supply chain. SolarWinds was specific to people who were using their software. This is broader in the sense that they’re going after many different companies, like multiple different SolarWinds, but these companies are all these resellers, and that gives Nobelium potential access to all of those resellers’ customers.
CS: Could you elaborate on the kind of hacking techniques the attackers used?
TB: There are two stages. The first stage is, how did they get into the resellers’ networks? And what they’ve been doing primarily is password spray. And by the way, [for] most nation-state actors, including these guys and other Russian actors and in general most patient state actors, password spray and brute force password attacks are just their staples. That’s what they do, they do it all the time. In this case, is they were engaged in password spray against these resellers. Similarly, that’s how they got into SolarWinds’ networks, is our understanding. I don’t think that’s ever been fully confirmed exactly how they got in, but we think they got into SolarWinds through some kind of password compromise, [which is] just the standard technique.
What’s new here, though, is what they then do. Just like they invented a new technique [for SolarWinds] — the way they dropped their malware into the Orion build as it was being built in the SolarWinds context, and then in that update process got their malware into the customer environments — similarly here, they’re using the escalated privileges that these companies have in their customer environments. We believe their intent was to use those escalated privileges to then infiltrate those customer environments, and that’s where they’re doing their more innovative, novel work. That’s where, in our blogs, we describe the steps that both the resellers should take and their customers should take to protect themselves.
CS: How have you coordinated with government agencies, and what did you make of the government official that’s been quoted saying these companies wouldn’t have been hit if they had taken some basic security steps?
TB: Yes, so two things about that. One is, we’ve been working with applicable government agencies as we’ve done this investigation and kept them up to speed on what we were seeing and learning, and made sure that they were aware of this information. In terms of the government official that’s been quoted some in the press: My response to that is, it’s absolutely right that the private sector needs to do more to protect ourselves against cyberattacks. Basic cybersecurity hygiene is super important and needs to be deployed across the ecosystem.
That’s exactly why we publish articles like this one, to let the ecosystem know and all the participants know, “Hey, we are all at risk, we all need to do a better job.” In this case in particular, we were very specific both about the things that everyone needs to do and then the things that are in the bullet points in my blog that Microsoft is stepping up to do to add to and help our customers. We want to help them be more secure and to defend against this and so we are taking a number of steps to do that.
But does the private sector bear responsibility to improve our cybersecurity? Yes, absolutely, no question about that.
