Russian SolarWinds hackers breached 14 Microsoft resellers and service providers

Microsoft has mapped out how the Advanced Persistent Threat 29 hacking group, which it calls Nobelium, targeted hundreds of its resellers this year, compromising as many as 14 in the process. 

The software giant's head of customer security and trust, Tom Burt, said the hacks were by the Russian government's Foreign Intelligence Service (FIS or SVR), which it blames for the widely publicised SolarWinds attacks in 2020.

Like the SolarWinds hacking, SVR is again going after supply chains, but in a different manner compared to last year.

"This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers," Burt wrote.

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers."

Russia appears to be working on gaining a long-term foot in the door in the technology supply chain for surveillance purposes, Microsoft believes.

Since May this year, Microsoft has notified over 140 resellers and technology services that they had been targeted by Nobelium.

As many as 14 of the resellers were successfully hacked, Burt said.

Password spraying and phishing to steal legitimate credentials are the main attack vectors.

To mitigate against the Nobelium attacks, Microsoft advises to use multi-factor authentication, improved monitoring and measures such as removing unused privileged accounts.