The Microsoft Threat Intelligence Center (MSTIC) detected attacks by the Nobelium group targeting IT services providers. The intent was to “gain access to downstream customers” such as Cloud Service Providers (CSP) and Managed Service Providers (MSP). If the Nobelium name sounds familiar, it’s because they were the threat actor behind the 2020 SolarWinds compromise.
MSTIC provides an example of the Nobelium group seeking access to one end target via compromise of four separate providers.
Nobelium continues to focus on high-value targets similar to their SolarWinds operation. The difference is, where Nobelium sought to compromise downstream SolarWinds customers through a software update altered with a backdoor, this campaign targeted IT providers to acquire administrative level access credentials used to manage customer assets. The group targeted user accounts that were likely to contain administrative wide access to the IT providers systems through several means, such as spear phishing and token theft. IT providers need to stay vigilant against a persistent threat such as Nobelium.
Microsoft offers advice for companies to seeking to harden their systems. Some recommendations are to utilize available multifactor authentication tools, review and enforce compliance policies, and follow the principle of least privilege, especially for administrative access. More detail on these measures can be found on their blog post.