Microsoft Reports New Activity from Nobelium Threat Actors

On October 24, Microsoft published a report on the latest activity from the nation-state actor called Nobelium that was responsible for the SolarWinds supply chain attack at the end of 2020. The group, which has been linked to Russia’s foreign intelligence service (SVR), began targeting resellers and service providers in the cloud service industry to gain access to downstream customers in May 2021. According to Microsoft, it has notified more than 140 organizations targeted by these attacks and only 14 have been confirmed compromised. 

Microsoft has also published technical guidance for defending against these attacks, mostly focused on cyber hygiene best practices. Specifically for downstream customers of resellers and service providers, Microsoft recommends:

• Implementing multi-factor authentication and conditional access policies
• Auditing and hardening privilege account access, especially for tenant administrator accounts
• Reviewing permissions for service providers via business-to-business and local accounts
• Reviewing audit logs and configuration changes

Microsoft’s technical guidance also includes tools, tactics and practices from this campaign but it warns that these are of limited use due to the obfuscation techniques the threat group employs.