Microsoft Corp. today said that as many as 14 information technology service providers were breached by the hacking group Nobelium, which the U.S. government and others have linked to Russia. 

Nobelium is the same group responsible for last year’s SolarWinds hacking campaign. The SolarWinds hack, which came to light in December, is estimated to have affected up to 18,000 organizations. 

Microsoft’s researchers began tracking the new Nobelium cyberattack campaign targeting IT firms this May. According to the company, Nobelium has launched cyberattacks against more than 140 IT service providers including IT resellers, managed service providers that assist organizations with running their technology infrastructure and others. Microsoft’s researchers determined that up to 14 of the targeted companies were breached. 

Microsoft believes that Nobelium targeted IT service providers in a bid to gain access to their customers’ systems. Many organizations entrust the day-to-day management of their cloud environments and other technology assets to an external service provider. As a result, the service provider has the ability to access and modify key parts of its customers’ technology infrastructure. 

In one of the cyberattacks uncovered by Microsoft, Nobelium breached four different providers to reach its target. In a technical blog post today, the company’s researchers detailed that the group had used several different hacking techniques to launch cyberattacks against the targeted companies. 

“Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful,”  Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote in a blog post today. 

Microsoft said that the hacking campaign targeting IT service providers was part of a broader wave of cyberattacks carried out by Nobelium over the summer. “In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” Burt detailed. “By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”

Alongside its research detailing the hacking campaign, Microsoft today detailed that it’s taking steps to improve cybersecurity for organizations that use its products and rely on an IT service provider to manage their technology assets. 

Organizations give service providers access to their technology environments by creating specialized administrator accounts. Microsoft, Burt wrote in the blog post, is currently piloting new features that will reduce the likelihood of service provider administrator accounts being used by hackers to launch cyberattacks. The new features will enable companies to detect accounts that have broader access to their technology environments than strictly necessary and  make the needed adjustments to reduce their attack surface.  

Microsoft has also released technical guidance to help organizations protect themselves against the newly detected hacking campaign. Additionally, the company updated several of its cybersecurity tools to help companies detect if they’re targeted sooner. “Threat protection and security operations tools such as Microsoft Cloud App Security (MCAS), M365 Defender, Azure Defender and Azure Sentinel have added detections to help organizations identify and respond to these attacks,” Burt added. 

Photo: Unsplash