Microsoft says Russia hacked at least 14 IT service providers this year

Microsoft said on Monday that a Russian state-sponsored hacking group known as Nobelium had attacked more than 140 IT and cloud services providers, successfully breaching 14 companies.

The Microsoft Threat Intelligence Center (MSTIC) said the attacks were part of a planned campaign that began in May this year.

The attacks included spear-phishing campaigns and password-spraying operations that targeted employees of companies that manage IT and cloud infrastructure on behalf of their clients.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” said Tom Burt, Corporate Vice President for Customer Security & Trust at Microsoft.

“We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach,” Burt said.

Indicators of compromise from these attacks are available in an MSTIC report published earlier today.

Nobelium, which the White House tied to Russian intelligence service SVR, is the same threat actor that orchestrated the attack against US software provider SolarWinds in 2020. The group hacked SolarWinds, inserted malware inside one of its software products, and then used the malware to enter the networks of high-value targets, such as government agencies and large corporations.

These attacks disclosed today, carried out on a large scale, confirm that the SolarWinds intrusion was deemed a success for the Russian group, which is now trying to replicate it again by attacking other companies part of the software supply chain attack of organizations across the world.

Microsoft did not reveal the names of any of the 14 IT and cloud service providers successfully compromised in this campaign.