Microsoft has shared details on the latest campaign conducted by the Russian-backed threat actor NOBELIUM. It notes that since May 2021, NOBELIUM has targeted hundreds of cloud service providers (CSPs), managed service providers (MSPs), and other IT services organizations to exploit the administrative or privileged access provided to these companies by their downstream customers. This threat actor group has been detected “targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems,” according to Microsoft’s Threat Intelligence Center (MSTIC). These incidents are not due to product security vulnerabilities but instead are a result of NOBELIUM’s employment of sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing. To date, more than 140 IT companies have been targeted and Microsoft believes around 14 of them have been compromised. Microsoft reports it has notified known victims of the activities and worked with them and other industry partners to expand its investigation, resulting in new insights and disruption of the threat actor throughout stages of this campaign. It also announces it has released technical guidance that can help organizations protect themselves against this latest activity as well as guidance for partners.

NOBELIUM is the same threat actor behind the SolarWinds compromise in 2020 and  has been identified by the U.S. government and others as being part of supported by the Russian Foreign Intelligence Service (SVR). “This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” according to Tom Burt, corporate vice president, customer security & trust at Microsoft. CISA urgers “users and administrators” to review Microsoft’s recent blog post and apply the necessary mitigations. Read Microsoft's recent blog or access a relevant article at BleepingComputer.