Microsoft says SolarWinds hacking group has breached three new victims

Microsoft said on Friday that it discovered new cyberattacks carried out by Nobelium, the codename the company has assigned to the Russian state-sponsored hacking group responsible for the SolarWinds hack last year.

In a recent campaign, Microsoft said the group used password spraying and brute-force attacks in an attempt to guess passwords and gain access to Microsoft customer accounts.

The OS maker said the group breached three entities, which they are currently notifying.

"This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services," Microsoft said today.

"The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted."

Nobelium, which is also tracked as APT29, now becomes the second Russian-backed cyber-espionage group that has targeted Microsoft accounts with brute-force attacks after similar campaigns have been seen in 2019 and 2020 carried out by APT28.

Microsoft support staff computer also compromised

But the brute-force attacks disclosed today were only the first half of recent Nobelium activity. In addition, Microsoft said it found information-stealing malware on the device of one of its employees working as a customer support agent.

The OS maker said Nobelium used this malware to collect and steal basic account information for a small number of its customers that was stored on the customer support agent's device.

"The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign," Microsoft said.

The customer's agent device has been secured, the company added.

In April this year, the Biden administration formally blamed the SolarWinds attack on the Russian Foreign Intelligence Service, also known as the SVR, effectively linking the Nobelium group to one of Russia's most skilled intelligence services.

Since then, the group has continued to operate after being publicly exposed as the perpetrator of the SolarWinds hack, including launching a sophisticated phishing campaign that even leveraged a rare iOS zero-day.

Cyber-security experts don't expect the group to cease operations even after getting publicly ousted by the Biden administration.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.