Russian Hackers Continue Targeting the Software Supply Chain

The Russian state-sponsored hacker group responsible for last year’s massive SolarWinds breach has continued targeting managed service providers (MSPs) in an effort to piggyback into other victim networks, according to a new threat report from Microsoft published on Sunday. The report indicates that Russia’s cyber operators remain undeterred and that cybersecurity at some MSPs is woefully inadequate.

Microsoft’s report details how a hacker group it calls “Nobelium,” which the U.S. government has linked to Russia’s Foreign Intelligence Service, has been targeting companies “integral to the global IT supply chain.” Moscow is “trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government,” Microsoft concluded.

Since May, Microsoft has notified over 140 MSPs that they have been targeted by Nobelium, which Microsoft believes has managed to penetrate as many as 14 MSPs to date. MSPs provide cloud and other IT services to companies and often have ongoing access to client networks. MSPs are therefore high-value targets, as breaching one MSP can provide access to hundreds if not thousands of other networks. When Nobelium breached the software company SolarWinds, for example, the hackers leveraged that access to compromise as many as 18,000 customers, including at least nine U.S. government agencies.

After the SolarWinds breach, the Biden administration’s federal budget proposal included $750 million to “respond to lessons learned from the SolarWinds incident.” The administration also tightened U.S. sanctions against Russian sovereign debt and designated six Russian technology companies for supporting “the Russian Intelligence Services’ cyber program.” President Joe Biden has repeatedly warned his Russian counterpart that the United States will respond “firmly” to defend its national interests in cyberspace.

As Nobelium’s latest hack demonstrates, however, Moscow appears to have concluded that penetrating the technology supply chain is too lucrative to stop, barring a much more significant response from the Biden administration. While the Biden team should explore additional cost-imposition tools to punish Moscow, deterrence through denial is more likely to stem Russia’s cyber-espionage efforts. This requires hardening U.S. networks against infiltration.

Therefore, it is most troubling that some MSPs instead appear to be giving the Russians an easy target. In its latest campaign, Nobelium reportedly used relatively unsophisticated techniques, such as password spraying and phishing, to access MSP networks. Initial theories as to how Nobelium gained access to SolarWinds’ network suggested the hackers exploited an easy-to-guess password (“solarwinds123”), although further investigation revealed that password was not how Nobelium got in. Regardless, once inside the company’s network, the hackers used SolarWinds’ own software patches to push malware to its clients.

MSPs are guardians of the confidentiality, integrity, and availability of their clients’ data. The fact that some MSPs apparently do not employ complex passwords and multi-factor authentication, which are basic cyber hygiene practices, is inexcusable.

Changes to public and private cybersecurity policies could help make IT networks harder targets. Congress should establish a cloud security certification, which would institute cybersecurity standards for MSPs that provide cloud-based services to other companies. A certification process requiring even basic cyber hygiene best practices likely would have thwarted Nobelium’s password spraying and phishing attempts.

Nobelium’s continued targeting of MSPs should be a wakeup call to Washington and to MSP operators. The public and private sectors must do everything in their power to ensure that these high-value targets are secure.

Trevor Logan is a cyber research analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from Trevor and CCTI, please subscribe HERE. Follow Trevor on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.

Clarification: An earlier version of this policy brief stated that Nobelium gained access to SolarWinds’ network by exploiting the “solarwinds123” password. When asked about the password theory during February 2021 congressional testimony, the company’s current and former CEOs did not deny it, although the company later said the password played no role.