The nation-state hackers who orchestrated the SolarWinds supply chain attack compromised a Microsoft worker’s computer and used the access to launch targeted attacks against company customers, Microsoft said in a terse statement published late on a Friday afternoon.
The hacking group also compromised three entities using password-spraying and brute-force techniques, which gain unauthorized access to accounts by bombarding login servers with large numbers of login guesses. With the exception of the three undisclosed entities, Microsoft said, the password-spraying campaign was “mostly unsuccessful.” Microsoft has since notified all targets, whether attacks were successful or not.
The discoveries came in Microsoft’s continued investigation into Nobelium, Microsoft’s name for the sophisticated hacking group that used SolarWinds software updates and other means to compromise networks belonging to nine US agencies and 100 private companies. The federal government has said Nobelium is part of the Russian government’s Federal Security Service.
“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers,” Microsoft said in a post. “The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”
According to Reuters, Microsoft published the breach disclosure after one of the news outlet’s reporters asked the company about the notification it sent to targeted or hacked customers. Microsoft didn’t reveal the infection of the worker’s computer until the fourth paragraph of the five-paragraph post.
The infected agent, Reuters said, could access billing contact information and the services the customers paid for, among other things. “Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in,” the news service reported.
The supply chain attack on SolarWinds came to light in December. After hacking the Austin, Texas-based company and taking control of its software-build system, Nobelium pushed malicious updates to about 18,000 SolarWinds customers.
A wide assortment of targets
The SolarWinds supply chain attack wasn’t the only way Nobelium compromised its targets. Antimalware provider Malwarebytes has said it was also infected by Nobelium but through a different vector, which the company didn’t identify.
Both Microsoft and email management provider Mimecast have also said that they, too, were hacked by Nobelium, which then went on to use the compromises to hack the companies’ customers or partners.
Microsoft said that the password-spraying activity targeted specific customers, with 57 percent of them IT companies, 20 percent government organizations, and the rest nongovernmental organizations, think tanks, and financial services. About 45 percent of the activity focused on US interests, 10 percent targeted UK customers, and smaller numbers were in Germany and Canada. In all, customers in 36 countries were targeted.
Reuters, citing a Microsoft spokesman, said that the breach disclosed Friday wasn’t part of Nobelium’s previous successful attack on Microsoft. The company has yet to provide key details, including how long the agent’s computer was compromised and whether the compromise hit a Microsoft-managed machine on a Microsoft network or a contractor device on a home network.
Friday’s disclosure came as a shock to many security analysts.
“I mean, Jesus, if Microsoft can’t keep their own kit clear of viruses, how is the rest of the corporate world supposed to?” Kenn White, product security principal at MongoDB, told me. “You would have thought that customer-facing systems would be some of the most hardened around.”