Over the past several months, a notorious Russian-linked group believed responsible for the SolarWinds attack in 2020 has unleashed a new series of cyber-operations. These latest attacks are thrusting supply-chain and cloud security back into the spotlight.
On Oct. 24, Microsoft published a security alert from its Threat Intelligence Center, detailing how a Russian-linked group called “Nobelium” has targeted approximately 140 managed service and cloud service providers since May. At least 14 of these victimized firms have been breached or compromised.
As part of this cyber campaign, attackers targeted IT and cloud service providers that have privileged access to other organizations, and then used those compromised credentials to extend the campaign to various think tanks, government agencies and businesses in the U.S. and Europe.
“Microsoft has observed Nobelium targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems,” according to Microsoft’s security researchers. “These attacks are not the result of a product security vulnerability but rather a continuation of Nobelium’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts.”
This latest series of sophisticated nation-state attacks is once again highlighting the vulnerabilities that come with the cloud and other online services, as well as the global supply chain and reliance on contractors.
Security experts note that IT and security teams need to continue assessing the risk that comes with supply chains, as well as the increased reliance on cloud-based services and apps.
“Trusted relationships between providers and user organizations are highly valuable and an essential part of modern security processes. Compromising privileged accounts that have a high level of access enables threat actors to move through the cyber kill chain with little chance of being detected,” Chris Morgan, a senior cyber threat intelligence analyst at security firm Digital Shadows, recently told Dice. “Given that many of the organizations impacted by this activity are reportedly cloud and managed service providers, it is realistically possible that the scope of this incident could increase.”
Russian Fingerprints
Nobelium is Microsoft’s name for a division within Russia’s Foreign Intelligence Service, or SVR, that carries out these types of cyber operations, which usually involve collecting data and intelligence from various targets. The group is also referred to by other security researchers as Cozy Bear, APT29 and The Dukes.
The SVR has conducted various cyber operations for years, and analysts believe that it carried out the original attack against the Democratic National Committee in 2016 that resulted in so much political fallout. In April, the Biden administration formally accused the SVR of carrying out the SolarWinds attacks, which targeted about 100 private firms and nine federal agencies in a supply-chain attack.
And while Microsoft first published its findings concerning this new malicious activity, other researchers have found similar tactics deployed over the last several months. For instance, security firm Mandiant published an updated blog on Oct. 28 that found UNC2452 (the company’s name for the Nobelium group) was moving laterally within compromised infrastructures from on-premises networks to Microsoft 365 cloud environments.
Abuse of cloud services and the ecosystem that helps supply them to organizations has been underway for some time and is likely to become worse over the coming years, said Oliver Tavakoli, CTO of security firm Vectra.
“As more valuable data moves to the cloud, more attackers acquire more skills relevant to attacking assets in the cloud,” Tavakoli told Dice. “The game of hopscotch played across organizations and visibility domains is still difficult to orchestrate and will generally be tradecraft of nation-state actors. But expect the next tier down in the food chain—ransomware gangs—to concentrate on cloud systems in the coming months and years.”
Jake Williams, a former member of the U.S. National Security Agency's elite hacking team who is now the CTO of Georgia-based incident response firm BreachQuest, also notes that these types of attacks (i.e., taking advantage of third-party firms that deliver cloud services) is becoming more common.
“Threat actors see value in targeting IT service providers—many of which specialize in delivering cloud services,” Williams said. “This isn’t surprising. Compromising an IT service provider gives the threat actor access into multiple other organizations.”
Security Headaches
Both Tavakoli and Williams note that Microsoft’s analysis of the recent Russian-linked attacks offers more details about the failings of certain cloud service and managed service providers than flaws in the actual cloud technology itself.
There are ways, however, that users of these third-party providers can check to ensure that they are delivering on the security basics.
“This is less about the security of ISPs and IaaS providers and more about the security of MSPs and other similar companies to whom an organization delegates administrative privileges to manage something inside the organization’s enclave. You need to inquire into the security practices of your MSP,” Tavakoli said. “Make sure they have more than just a security compliance program—do they run regular red team exercises and pass them? Are they limiting their attack surface? Remember that the Kaseya attack was only possible because the Kaseya VSP servers run by some MSPs were easily accessible on the internet. And regularly review the risk associated with any privileges you have granted to other organizations because you have just added their attack surface to yours.”
Williams notes that in cases where organizations are relying on third parties to help run and maintain their Azure cloud infrastructures, there are ways to check to ensure that security is being handled.
“I would first ask if they’ve taken advantage of Microsoft’s offer of free Azure AD Premium and, if so, ask how they are reporting on Active Directory access privileges,” Williams told Dice. “If they can’t answer, that’s a huge red flag—especially since Microsoft is making this free for two years to all service providers. I would also want to know how they are responding to Microsoft’s guidance. Ask for specific details in this regard.”
Updating Skills
Whether an organization is managing its own cloud infrastructure and applications or relying on a third-party partner, security experts say security and IT organizations need workers with the skill sets to understand how to manage these environments.
Tavakoli noted that, with the increasing and rapid development of cloud technologies, even large organizations need to keep up-to-date and ensure that their IT and security staff are trained.
“Cloud systems are different than on-premise systems. They involve new concepts, new telemetry and new tools. Many security teams within larger organizations are lagging in their cloud security capabilities,” Tavakoli said. “They need to catch up as even a small cloud footprint can be leveraged to attack their much larger on-premise network. Importantly, they need to stitch their cloud and on-premise visibility and threat detection worlds together.”
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, added that, by developing these skills among IT and security, organizations can get more use out of their cloud services while improving security.
“Don’t expect the skills you have for traditional security to help with cloud security,” Carson told Dice. “Organizations must obtain expert resources who understand cloud security to help ensure they get the best value out of cloud services and security.”