Microsoft recently informed over 600 of its customers about 22,868 separate attacks by a single threat actor over a four month period. That actor—known as Nobelium—is a hacking group suspected of being affiliated with the Russian Foreign Intelligence Service (SVR).
The recent wave came between July 1 and October 19 this year, and included over 140 retail companies and technology service providers. Tom Burt, Corporate Vice President at Microsoft says "as many as 14" of these were left compromised, though of the 600+ other targets, Burt declares the hacking success rate to be "in the low single digits," (via. BleepingComputer (opens in new tab)).
To put the numbers into perspective, whether or not the attacks were successful, the recent wave includes more instances in the past four or so months than the past three years combined. As Burt notes, "by comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years."
Known also as APT29, Cozy Bear, or The Dukes, the group is thought to be working for potentially several Russian intelligence agencies, and allegedly breached several US government agencies last year by hacking through SolarWinds software solutions, on what was deemed a "broad scope cyber espionage campaign."
The recent attacks go to show that Nobelium is not letting up. And the group's offense is expansive, with its arsenal including persistent malware strains, phishing campaigns, as well as its own malware and shellcode downloaders, named 'BoomBox,' and 'VaporRage,' respectively.
Microsoft is now sharing anti-Nobelium specific measures (opens in new tab) it recommends service providers and tech organisations take, in order to help prevent future attacks. In the security notice, Microsoft details some of Nobelium's tactics, including "the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain.
"In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach—exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks."
Welcome to a world where countries are believed to be waging silent cyberwars in the backdrop of our everyday lives. In an age where so much relies on software companies, and network providers to keep the world running smoothly, it's no wonder this has become the new front line.