Microsoft warns resellers and MSPs of threat from hacking group behind SolarWinds attack

Tech giant claims it has seen a wave of activity from Nobelium since the summer

Microsoft says that more than 140 resellers and technology service providers have been targeted by the group behind the Solar Winds attack since May.

Around 14 of these resellers and service providers have been compromised by Russian hacking group Nobelium, with Microsoft claiming the group has now switched its efforts towards targeting resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers.

The tech giant said that the attacks have not attempted to exploit any flaw or vulnerability in software but instead used "well-known" techniques such as password spray and phishing to steal legitimate credentials and gain privileged access.

Microsoft believes Nobelium hopes to "piggyback" on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organisation's trusted technology partner to gain access to their downstream customers.

"This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling - now or in the future - targets of interest to the Russian government," Tom Burt, corporate vice-president, customer security & trust at Microsoft, said in a blog post.

"While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the US, and the greater coordination and information sharing we've seen between industry and government in the past two years, have put us all in a much better position to defend against them.

"We continue to assess and identify new opportunities to drive greater security throughout the partner ecosystem, recognizing the need for continuous improvement. As a result of what we have learned over the past several months, we are working to implement improvements that will help better secure and protect the ecosystem, especially for the technology partners in our supply chain."

The vendor further claims the attacks have been a part of a larger wave of Nobelium activities this summer. Between 1 July and 19 October this year, Mirosoft said it informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits.

By comparison, prior to July 1, 2021, it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.