Skip to main content
banner image
venafi logo

NOBELIUM Targets Compromised Identities to Launch Supply Chain Attacks

NOBELIUM Targets Compromised Identities to Launch Supply Chain Attacks

nobelium software supply chain attacks
November 1, 2021 | Anastasios Arampatzis

Microsoft has issued a warning stating that NOBELIUM, the criminal, state-sponsored group behind the SolarWinds attack, has targeted at least 140 resellers and technology service providers in global IT supply chains. “The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access,” says Microsoft in a blog.

With the number of machine identities increasing at an ultrasound speed, Microsoft’s research is a warning bell for all organizations relying on vast and complex supply chains.
 

 

SolarWinds: Anatomy of a Supply Chain Attack. Download the whitepaper.
The Warning Bell

On October 24, Tom Burt, Microsoft Corporate Vice President of Customer Security & Trust said in an advisory that the advanced persistent threat (APT) group NOBELIUM has now pivoted to software and cloud service resellers in order to "piggyback on any direct access that resellers may have to their customers' IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers."

“NOBELIUM has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” wrote Tom Burt.

According to Microsoft’s threat analysts, Nobelium has been trying to compromise cloud service providers, managed service providers, and other IT services organizations in the US and Europe, to ultimately target government organizations, think tanks, and companies these companies serve.

“These attacks are not the result of a product security vulnerability but rather a continuation of NOBELIUM’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts,” said Microsoft in another advisory. “By stealing credentials and compromising accounts at the service provider level, NOBELIUM can take advantage of several potential vectors.”

This well coordinated and implemented attack is part of a wider intelligence gathering effort in the context of an ongoing cyber warfare between Russia from one side, and the US and Europe from the other. Some call it a “cyber cold war”, a clear revival of the 80s Cold War, this time in the cyberspace. “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest to the Russian government,” wrote Tom Burt.
 

For Whom the Bell Tolls?

Microsoft has informed all impacted vendors and has also released technical guidance outlining how NOBELIUM attempts to move laterally across networks to reach downstream customers. These recommendations include enabling multi-factor authentication, checking activity logs, and removing delegated administrative privileges when no longer needed.

An important component of minimizing access privileges is to have a robust and automated machine identity management program in place. Machines—anything that is a non-human entity, including APIs, containers, cloud workloads and IoT connected devices—are increasing in volume and form the backbone of every business digital initiative. Once siloed within the premises of security teams, machine identity management is now an important ingredient of enerprisewide businesses risk management.

Weak management results in orphaned or unprotected machines identities which can be easily compromised or stolen by adversaries. Attackers and criminal groups, such as NOBELIUM, can leverage compromised machine identities—such as code signing keys—to gain privileged access to critical systems, maintain a strong foothold and pivot their malicious actions to disrupt operations and exfiltrate sensitive data. The consequences of compromised machine identities can be devastating, affecting not only the victim organization but also local communities, national economy and national security. This is why President Biden’s Executive Order focusses so much on both strong authentication and protection of supply chains.

Businesses can protect themselves against threat actors like NOBELIUM by implementing a robust machine identity management program. Solutions, such as Venafi CodeSign Protect, can help organizations protect the code signing machine identities which are being used to protect their software across the extended enterprise. As part of the Trust Protection Platform, CodeSign Protect powers enterprise solutions that give you the visibility, intelligence and automation to protect your software infrastructure.

If you wish to learn more, reach out to one of our experts. They will be glad to answer all your questions.

 

Related posts

Like this blog? We think you will love this.
twitter-api-key-bot-army
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more