Russian Groups Target US Supply Chains and Cloud Service Resellers

Microsoft, the world-leading software, cloud computing, and gaming company, is ringing alarm bells over the Russian-backed Nobelium supply chain attacks.  Nobelium is the same organization responsible for the 2020 SolarWinds supply chain attack that affected thousands of organizations, companies, and multiple departments of the US federal government.  Mircosoft has claimed that Nobelium is targeting the US supply chain by focusing on cloud service resellers. These cloud service resellers act as the middleman between customers and large cloud companies. By targeting these cloud service resellers, Nobelium gains access not only to their networks but also to those of their customers. It has the possible effect of multiplying the damage of an attack by hundreds or thousands.  The Kaseya VSA Ransomware attack of July 2, 2021, is an excellent example of a large supply chain attack. This supply chain attack used Kaseya’s Virtual System Administrator, a remote monitoring and management software, to distribute a malicious payload to Kaseya and its customers. It is estimated that 800-1500 customers and clients were affected. In the case of one Kaseya client, Coop, a Swedish supermarket chain, was forced to shut down 800 stores for nearly a week. In some villages, this meant closing the only food store available.  It should be noted that the risks posed by Nobelium are not “coming soon” but are clear and present. Microsoft has notified 140 cloud service resellers that Nobelium has targeted them and that as many as 14 cloud service resellers have already been compromised. It is expected that more companies will be targeted and compromised as Russia tries to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government. Microsoft has noted that most recorded attacks are focused not on software flaws or vulnerabilities but instead rely on password spray and phishing attacks. In addition to Multi-Factor Authentication, protecting a company’s active directory, managing exposed credentials, and removing spoofed domains are the current best practices to handle Nobelium.  CybelAngel offers multiple tools to reduce the cyber risk around Nobelium and other ransomware gangs. Tools like Account Takeover Prevention can help protect a company by locating exposed credentials available on the web to be secured or updated before threat actors use them in a cyber attack. Asset Discovery and Monitoring can identify exposed or vulnerable digital assets such as exchange servers, active and lightweight directories, and remote access protocols that threat actors can exploit to further a cyberattack, through brute-forcing, credential stuffing or vulnerability exploitation. Domain Protection is another layer of defense that identifies when threat actors have created a fraudulent domain to collect passwords, logins, or other sensitive information, or to execute malware.