Country hacker Microsoft said in a statement that those who planned the SolarWinds supply chain attack compromised a Microsoft employee’s computer and used the access rights to launch targeted attacks on company customers. Concise statement Released later on Friday afternoon.
The hacker group also used password spraying and brute-force cracking techniques to compromise three entities that used a large number of login guesses to bomb login servers to gain unauthorized access to accounts. Microsoft said that with the exception of three undisclosed entities, the password spraying campaign was “basically unsuccessful.” Microsoft has notified all targets, regardless of whether the attack was successful or not.
These findings come from Microsoft’s ongoing investigation of Nobelium, which is Microsoft’s name for a sophisticated hacker organization that uses SolarWinds software updates and other means. Destroy a network belonging to 9 U.S. institutions and 100 private companiesThe Federal Government stated that Nobelium is part of the Federal Security Service of the Russian Government.
Microsoft said in a post: “As part of our investigation of this ongoing activity, we have also detected information-stealing malware on a machine belonging to one of our customer support agents that has access to the basics of a few of our customers. Account information.” “The actor used this information in some cases to launch highly targeted attacks as part of its broader activities.”
According to Reuters, Microsoft issued a violation disclosure after a reporter in the news media asked the company about the notice it sent to targets or customers that were hacked. It wasn’t until the fourth paragraph of this five-part post that Microsoft revealed the worker’s computer infection.
Reuters said the infected agent can access billing contact information and services paid by customers. “Microsoft warns affected customers to be careful about communications with their billing contacts, and consider changing these usernames and email addresses, as well as banning old usernames from logging in,” the news service reported.
SolarWinds’ supply chain attack exposure In December. After invading a company in Austin, Texas and controlling its software construction system, Nobelium Push malicious updates About 18,000 SolarWinds customers.
“The latest cyber attack reported by Microsoft has nothing to do with our company or our customers,” a SolarWinds representative said in an email.
The SolarWinds supply chain attack is not the only way Nobelium can undermine its goals.Anti-malware provider Malwarebytes has stated Also infected by Nobelium But through a different carrier, the company has not determined.
Both Microsoft and email management provider Mimecast also stated that they were also hacked by Nobelium, who then continued to use these compromises to attack the company’s customers or partners.
According to Microsoft, the password spray campaign is aimed at specific customers, of which 57% are IT companies, 20% are government organizations, and the rest are non-governmental organizations, think tanks, and financial service institutions. Approximately 45% of the activities are focused on the interests of the United States, 10% of the activities are aimed at UK customers, and fewer activities are concentrated in Germany and Canada. In total, customers in 36 countries/regions were targeted.
Reuters quoted a Microsoft spokesperson as saying that the violations disclosed on Friday were not part of Nobelium’s previous successful attacks on Microsoft. The company has not provided key details, including when the agent’s computer was compromised and whether the intrusion attacked a Microsoft-managed machine on the Microsoft network or a contractor’s equipment on the home network.
Friday’s disclosure shocked many securities analysts.
“I mean, my goodness, if Microsoft can’t keep their own toolkits from viruses, what should other businesses do?” Independent security researcher Kenn White told me. “You might think that the customer-facing system is one of the most robust.”
This story originally appeared in Ars Technica.
More exciting connection stories