Last week, Microsoft revealed that 3,000 email accounts involving more than 150 organizations in 24 countries had been targeted by a nation sponsored hacking group Microsoft calls “Nobelium,” which is the same group responsible for the Solar Winds attack. The company and law enforcement have been warning U.S. organizations that government agencies, think tanks and non-governmental organizations are the targets of such attacks, but they aren’t the only targets.
Moreover, multi-level targeting is becoming common place, meaning that hackers are not just attacking a company. Increasingly, they’re targeting companies, their partners and customers whether by ransomware or other means.
Hacked eMail Accounts Used for Phishing
According to Microsoft, Nobelium reportedly gained access to the U.S. Agency for International Development (USAID) Constant Contact email account and launched a phishing campaign which included a malicious link that distributes what Microsoft calls the “NativeZone” backdoor. The backdoor can be used to infect computers, steal data and do other harm.
Meanwhile, Ars Technica reported that Nobelium compromised a Microsoft worker’s computer and used to successfully launch password spraying attacks against Microsoft’s customers. According to Reuters, the malware could access billing contact information and the services for which they paid. Microsoft has secured the compromised device, according to Bloomberg.
“This reportedly successful compromise of a customer service agent’s computer was a well-planned and executed attack to gain access to Microsoft tools and hit highly targeted, specific customers, all from the APT group connected to the SolarWinds attack,” said Bill Lawrence, CISO at risk management platform provider SecurityGate.io. “Hopefully Microsoft discovered all the affected customers and has protections in place for stolen versions of their tools going forward.”
Ars Technica also reported that Nobelium successfully hacked Microsoft and email management provider Mimecast and then targeted the companies’ customers, nearly 60% of which were IT companies. Governments, think tanks, financial services companies and non-government organizations (NGOs) were also targeted. Microsoft has notified the victims.
Nobelium is believed to be run by Russia’s Foreign Intelligence Service (SVR). According to Microsoft, USAID is only one of many government organizations that’s being targeted as part of an intelligence strategy to learn about U.S. foreign policy. In March 2021, the Associated press reported that acting secretary of the U.S. Department of Homeland Security (DHS) Chad Wolf and other high-ranking officials were among the phishing victims of the Solar Winds email attack.
“I’ve spent my career trying not to sound like the boy who cried “wolf” or “the sky is falling,” said George Finney, CISO at Southern Methodist University. “[This latest incident] provides context for me to say, ‘Oh my gosh, in the last six months, it really does feel like the sky is falling. Last year, phishing was up something like 600%. The number of zero days that have come out this year – not just Microsoft – have been tremendously challenging to keep up with.”
Why Companies Should Be Concerned
CISOs know that attacks are constantly evolving and that their organizations can be compromised in ways they haven’t even imagined yet. Now that the world’s political superpowers are fighting more battles in the ether and there’s a lot of money to be made by cyber criminals, all employees working for any organization need to assume that their company is being targeted one way or the other and that simple and inadvertent mistakes can be very costly.
For example, earlier in June 2021, CNN reported that game publisher Electronic Arts had suffered a breach involving the theft of some Frostbite source code that powers video games including FIFA, Madden and Battlefield. The hackers also stole software development tools for FIFA21 and server code for player matchmaking in FIFA 22.
“You can buy a Slack token or cookie for a session on Electronic Arts’ slack instance on the dark web for $10. What does that $10 buy? It gives you the ability to post a message to the support channel and say, ‘Hey, I lost my phone at a party last night. Can someone reauthorize this new number?” said Mike Wilkes, CISO at Security Scorecard, which provides cybersecurity ratings. “So, $10 plus social engineering gets you $7 billion of software exfiltrated from EA.”
Exacerbating the problem is customer service reps’ responsibility and desire to help people. Wilkes said if bad actors socially engineered all the support teams around the world, they could get a lot more people clicking on emails and mobile phones authorized which they could use to gain access to infrastructure.
“They bypass multi-factor authorization by getting a support person to give them a whole new identity and access. What’s our defense? Security awareness training teaching people to be skeptical and teaching people to follow the process that’s been defined and not be so ‘helpful,” said Wilkes.
The four motivations that make phishing successful are fatigue, curiosity, greed and vanity, Wilkes said.
“It’s a tough, multi-front battle, what we call ‘asymmetric warfare.’ The bad buys only have to win once and the good guys have to defend perfectly 100% of the time,” said Wilkes.