The nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft employee’s computer and used the access to launch targeted attacks against customers of the company, Microsoft said in a terse statement released late Friday afternoon.
The hacking group also compromised three entities using password sputtering and brute force techniques, which gain unauthorized access to accounts by bombarding login servers with a large number of login attempts. With the exception of the three undisclosed entities, Microsoft said, the password spray campaign was “mostly unsuccessful.” Microsoft has since notified all targets, whether the attacks were successful or not.
The findings came as part of Microsoft’s ongoing investigation into Nobelium, Microsoft’s name for the sophisticated hacking group that used software updates from SolarWinds and other means to compromise networks owned by nine agencies. American companies and 100 private companies. The federal government has declared that Nobelium is part of the Russian government’s Federal Security Service.
“As part of our investigation into this ongoing activity, we also detected information theft malware on a machine owned by one of our customer support agents with access to basic account information for a small fee. many of our customers, ”Microsoft said in an article. “The actor has used this information in some instances to launch very targeted attacks as part of their larger campaign.”
According to Reuters, Microsoft released the breach disclosure after one of the outlet’s reporters asked the company about the notification it sent to targeted or hacked customers. Microsoft did not reveal the infection of the worker’s computer until the fourth paragraph of the five paragraph message.
The infected agent, Reuters said, could gain access to billing details and services paid for by customers, among others. “Microsoft has warned affected customers to be careful in communications with their billing contacts and to consider changing these usernames and email addresses, as well as prohibiting old usernames from signing in,” the press service reported.
The supply chain attack on SolarWinds came to light in December. After hacking into the Austin, Texas-based company and taking control of its software creation system, Nobelium sent malicious updates to approximately 18,000 SolarWinds customers.
A wide range of targets
Attacking SolarWinds’ supply chain was not the only way Nobelium undermined its goals. Antimalware vendor Malwarebytes said it was also infected with Nobelium, but through a different vector, which the company did not identify.
Microsoft and email management provider Mimecast also said they too were hacked by Nobelium, which then used the compromises to hack into the company’s customers or partners.
Microsoft said the password spreading activity targets specific customers, including 57% IT companies, 20% government organizations, and the rest non-government organizations, think tanks and financial services. About 45 percent of the activity was focused on US interests, 10 percent was aimed at UK clients, and a smaller number were in Germany and Canada. In total, customers in 36 countries were targeted.
Reuters, citing a Microsoft spokesperson, said the breach disclosed on Friday was not part of Nobelium’s previous successful attack on Microsoft. The company has yet to provide key details, including how long ago the agent’s computer was compromised and whether the compromise affected a Microsoft-managed machine on a Microsoft network or a contracted device on a home network.
Friday’s disclosure came as a shock to many security analysts.
“I mean, my God, if Microsoft can’t keep their own kit virus-free, how is the rest of the corporate world supposed to do it?” Kenn White, product safety manager at MongoDB, told me. “You would have thought that customer-centric systems would be among the toughest. “