ChannelLife Australia logo
Industry insider news for Australia's technology resellers
Story image

Microsoft, Mandiant uncover Russian threat actor targeting cloud services

By Shannon Williams
Wed 27 Oct 2021

Mandiant and Microsoft have identified a new wave of intrusion activity from the threat actor behind the SolarWinds supply chain attacks. 

The Russian nation-state actor Nobelium is the same actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the U.S. government and others have identified as being part of Russia’s foreign intelligence service known as the SVR.

According to Microsoft, Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organisations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers. 

"We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers," Microsoft says.

"We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community."

Since May, Microsoft says it has notified more than 140 resellers and technology service providers that have been targeted by Nobelium. 

"We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised," it says.

"Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful."

These attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and October 19 this year, Microsoft informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits. By comparison, prior to July 1, 2021, it had notified customers about attacks from all nation-state actors 20,500 times over the past three years.

Microsoft says this recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government. 

"The attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to exploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access," the company says.

"We have learned enough about these new attacks, which began as early as May this year, that we can now provide actionable information which can be used to defend against this new approach."

Mandiant says that while the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organisations that are targeted by the Russian government. 

"This attack path makes it very difficult for victim organisations to discover they were compromised and investigate the actions taken by the threat actor," says Mandiant SVP and CTO, Charles Carmakal.

"This is particularly effective for the threat actor for two reasons: First, it shifts the initial intrusion away from the ultimate targets, which in some situations are organisations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses and second, investigating these intrusions requires collaboration and information sharing across multiple victim organisations, which is challenging due to privacy concerns and organisational sensitivities," he says.

"We've observed this attack path used to obtain access toon-premises and cloud victim environments," Carmakal says.

"Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organisations and other organisations that deal in matters of interest to Russia. 

"The intrusion activity is ongoing and Mandiant is actively working with organisations that are impacted."

Related stories
Top stories
Story image
Tech job moves
Tech job moves - ARMA International, Avec, Komo & YouGov
We round up all job appointments from August 15-18, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Cloud Security
Organisations struggling to secure new cloud environments
“In the wake of COVID-19, organisations substantially accelerated their digital transformation initiatives to accommodate a remote workforce."
Story image
eCommerce
Record number of Australians shopped online over last year
Pattern has released new research showing that in the last twelve months, a record number of Australians made a purchase online, spending AUD $62.3 billion.
Story image
Smartphone
Hands-on review: Samsung Galaxy Z Fold 4 smartphone
With its new range of foldable phones, Samsung has definitely brought a vibrant new energy to the smartphone market.
Story image
Endpoint Management
Somerville celebrates 40 years of serving customers in Australia
End-to-end technology service provider Somerville says it's riding a wave of strong year-on-year growth as it celebrates its 40th anniversary.
Story image
Consulting
SAS awards Zencos as the 2022 A/NZ Partner of the Year
SAS has recognised US-based financial crimes and data consulting firm Zencos with the 2022 Australia and New Zealand Partner of the Year award.
Story image
Customer
ValueFlow and FLI announce capital alliance for enhanced channel outcomes
ValueFlow and Founder Led Investments (FLI) have announced that they have entered into a capital alliance, which looks to expand ValueFlows business in Australia and Asia Pacific.
Story image
Techday
10 misconceptions about Techday and how it operates
Even with 17 years in the tech news space, Techday still finds that there are a range of things people misunderstand about how we operate.
Story image
Hybrid Cloud
The essential guide to digital transformation by SolarWinds
Digital transformation is a buzzword thrown around all the time by companies, but what does it actually mean and why is it important? SolarWinds breaks it down.
Story image
SaaS
Cloudera launches all-in-one data lakehouse cloud service
CDP One makes it faster, easier and less risky for businesses to move to the cloud and migrate existing workloads to a modern data architecture.
Story image
Schneider Electric
Schneider Electric launches SM AirSeT in Australia
The new medium-voltage switchgear uses pure air and vacuum interruption, completely avoiding SF6 greenhouse gas.
Story image
Cloud Security
Aqua Security adds CPSM capabilities to Aqua Trivy
Aqua Security has added cloud security posture management (CPSM) capabilities to its open source tool, Aqua Trivy.
Story image
SmartWatch
Hands-on review: Huawei Watch D smart watch
The Huawei Watch D is the latest flagship smart watch from the Chinese tech giant, and it's further proof that the company is more than capable of competing with the likes of Samsung and Apple in the highly competitive wearable market.
Story image
Data Protection
Zero Trust, but verify - finding the OT in ZerO Trust
The move to remote and cloud-based technologies has shifted the goalposts for cybersecurity. It now needs to cover multiple people, devices, platforms, and networks.
Story image
Environment
Lenovo launches CO2 Offset Service for SMBs across A/NZ
Lenovo has announced the rollout of a new, first-of-its-kind CO2 Offset Service for SMBs across Australia and New Zealand. 
Story image
Artificial Intelligence
Acusensus smart traffic technology being used on UK roads
Australian-developed smart traffic technology is being rolled out across the United Kingdom to catch dangerous drivers using their mobile phones and not wearing seatbelts.
Story image
Communication
Motorola acquires radio comms provider Barrett Communications
Motorola Solutions says the two companies are united in delivering vital communications that organisations worldwide depend on.
Story image
Cybersecurity
Claroty research unveils new attack that targets PLCs
Claroty has released research detailing a new type of cyber-attack, one that weaponises programmable logic controllers (PLCs).
Story image
Tech job moves
Tech job moves - Fastly, INX, Kinly, SmartBear & Vectra AI
We round up all job appointments from July 29 - August 12, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Radware
DDoS activity rises dramatically - Radware report
The first six months of 2022 were marked by a significant increase in DDoS activity across the globe, according to a new report.
Story image
Malware
Secureworks CTU uncovers new information about DarkTortilla malware
Secureworks CTU researchers have found new information about the DarkTortilla malware, revealing more about its versatility and scope within the threat landscape.
Story image
Unified Communications
MAXHUB reveals latest innovations for ANZ at Integrate 2022 in Sydney
Some of the most exciting and innovative updates from this year's Integrate 2022 event have come from the leaders at MAXHUB.
Story image
Cryptocurrency
Crypto crime: Illicit activity falls with rest of market
Cryptocurrency scams, which typically present themselves as passive crypto investing opportunities, are less enticing to potential victims.
Story image
Cybersecurity
Australian IT security concerns higher than before pandemic
Australian organisations are more concerned about cyberattacks than they were prior to the COVID-19 pandemic, according to a new survey.
Story image
Smartphone
Hands-on review: OPPO Find X5 smartphone
With the release of the new OPPO Find X5 in March, we got the opportunity to explore another one of their premium devices.
Story image
Cyber attacks
Dramatic uptick in threat activity with exploits growing nearly 150%
"While it’s not a surprise given increased attack opportunities like remote work, it’s still a worrying development and one we cannot ignore."
Story image
Collaboration
Hybrid working success relies on the return to office
A reluctance to return to the office is impacting a would-be hybrid working model, instead leaving businesses with a mostly-remote workforce.
Story image
Retail
AU retailers rate their states for doing business
Retailers are optimistic about economic conditions and potential for business success in their own states, despite the current economic climate. 
Story image
Home Entertainment
Hands-on review: TCL 65″ C835 Mini LED 4K Google TV
We introduce you today to a TV that brings the height of immersion to your viewing experience: The TCL 65″ C835 Mini LED 4K Google TV.
Story image
Cloud Security
Lookout named Strong Performer in 2022 Gartner Peer Insights
Gartner has recognised Lookout as a Strong Performer in the 2022 Gartner Peer Insights Voice of the Customer for Security Service Edge (SSE).
Story image
Cybersecurity
Education sector seeing highest volumes of cyber attacks
When breaking down the numbers to education attacks by region in July 2022, A/NZ was the most heavily attacked.
Story image
Cloud
Microsoft announces Pax8 as indirect CSP distributor in A/NZ
Microsoft has recently announced Pax8 as a Cloud Solution Provider (CSP) indirect distributor in the A/NZ region.
Story image
IDC
Collaboration app market revenue grows 28.4% year-over-year
IDC has found that global revenues in the collaboration applications market grew 28.4% year-over-year in 2021 to $29.1 billion.
Story image
Cybersecurity
Study looks at gender dimensions of AU security sector
A new study will explore solutions to overcome pressing skills and diversity challenges in the Australian security sector.
Story image
Review
Hands-on review: JBL Flip 6 portable speaker
Once you switch it on, and listen away for up to 12 hours, you will quickly realise that this is a little speaker looking for a party.
Story image
Microsoft
8x more users attacked via old Microsoft Office vulnerability in Q2
"Criminals craft malicious documents and convince their victims to open them through social engineering techniques."
Story image
Cybersecurity
CISOs need to consider a risk-based cybersecurity strategy
Rather than talking in terms of attack vectors and vulnerabilities, CISOs and security decision-makers must look at actual business risk.
Story image
Gartner
Fortinet attributes Gartner-reported growth to ZTNA approach
Zero-trust is slowly becoming a dominant enterprise security strategy for businesses, and the Gartner report highlights that although prominent, it is often underutilised.
Story image
Cloud
Whispir reports significant revenue growth as CaaS market expands
Australian cloud platform Whispir has announced its financial results, reporting significant growth as it continues to introduce new Communications-as-a Service (CaaS) offerings to the market.
Story image
Unified Communications
Gold Coast private hospital improves comms with Alcatel-Lucent Enterprise solutions
With further demands placed on health workers as a result of the pandemic, they need efficient and adaptable solutions that help them effectively serve their communities.
Story image
Facial recognition
Benefits vs risks of facial recognition technology
Once a distant, futuristic concept, facial recognition technology is now found in many technological applications with a variety of different functions.