Microsoft: SolarWinds Hackers Ramping Up Attacks Through Resellers

The hackers who infiltrated IT management firm SolarWinds and compromised nine federal agencies last year continue to target Microsoft’s government customers through partners reselling and implementing their products, the company said.  

“[Microsoft Threat Intelligence Center] assesses that NOBELIUM has launched a campaign against these organizations to exploit existing technical trust relationships between the provider organizations and the governments, think tanks, and other companies they serve,” reads a blog Microsoft published Monday. The Cybersecurity and Infrastructure Security Agency urged administrators to review the blog and implement mitigations accordingly.

Nobelium is the name Microsoft gave to the SolarWinds hackers who also used basic password guessing and brute force tactics to breach their targets at the end of last year and into 2021, according to the Cybersecurity and Infrastructure Security Agency. U.S. officials have attributed the activity to Russia’s Foreign Intelligence Service.

According to a separate blog post Microsoft Vice President Tom Burt published Sunday, more than a dozen of the company’s resellers have likely been compromised in recent months.

“Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” Burt wrote. “We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised.”

Government entities may be among more than 600 Microsoft customers targeted this summer, according to the blog post.

“Between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” Burt wrote. “By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”

Microsoft advised customers to implement multifactor authentication and said it is enforcing such requirements for its reselling partners. The company emphasized that the attacks are not due to any security vulnerabilities in their products but others in the cybersecurity community disagree. They point to what they describe as a flaw in the company’s Active Directory Service.

“Unfortunately, based on flaws in the authentication architecture itself,” CrowdStrike CEO George Kurtz, testified in February, hackers can “bypass multi-factor authentication entirely and, every bit as devastating as it sounds, have the ability to sign in as a compromised user no matter how many times that user resets their password.” 

The Microsoft blog post also promotes the company’s security features as add-ons. One such service available at various levels based on license types and premiums is the ability to track suspicious activity through event logs, something some leading cybersecurity advocates have argued should be included as standard.