The hackers that breached scores of US government agencies by compromising software supplier SolarWinds have launched a new campaign against primarily US and UK targets – successfully attacking a Microsoft’s customer support team computer to steal information they used to launch “highly-targeted attacks”.
That’s according to Microsoft, which tracks the groups as NOBELIUM (it is also known as Cozy Bear or APT29, and believed to be linked to Russia's Foreign Intelligence Service, the SVR). Microsoft said in a June 25 blog it had seen a flurry of brute force and password spraying attacks by the APT, noting: “The majority of targets were not successfully compromised – we are aware of three compromised entities to date. All customers that were compromised or targeted are being contacted through our nation-state notification process.”
A Microsoft customer support machine and was breached and customer account information stolen as part of the attack, however: “We also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers.
"The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign", Microsoft said, adding: "We responded quickly, removed the access and secured the device. The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust ‘least privileged access’ approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure.”
Microsoft customer support hacked: breach follows Azure, Intune source code theft
Microsoft’s ubiquity in enterprise and public sector environments makes it a compelling target. As part of the campaign by the NOBELIUM threat group earlier this year it stole proprietary source code including details about how Azure authenticates customers, Microsoft admitted on February 18. The hackers also accessed repositories and downloaded source code relating to Microsoft Intune and Exchange components — respectively, a mobile device and application management platform, and business email server software.
The latest attack this June comes after the FBI and CISA said they were tackling a fresh spearphishing campaign targeting government non-governmental organisations. While the two did not attribute the campaign, Microsoft and security firm Volexity both linked it back to the SolarWinds attacks (NOBELIUM/APT29).
In a somewhat under-reported attack, the APT compromised an end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs, the FBI and CISA said: "The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization. The emails contained a legitimate Constant Contact link that redirected to a malicious URL, from which a malicious ISO file was dropped onto the victim’s machine. This contained, among other things, a custom Cobalt Strike Beacon version 4 implant.
Microsoft described the recent activity as reinforcing "the importance of best practice security precautions such as Zero-trust architecture and multi-factor authentication and their importance for everyone."