The group of attackers that compromised SolarWinds late last year recently conducted another campaign against government agencies and IT companies and was able to compromise the machine of a Microsoft customer support agent who had access to customer account data.
The attack campaign targeted companies in 36 countries, but nearly half of the affected organizations were in the United States. Microsoft has warned the customers whose accounts were affected by the compromise of the agent’s machine, and the company said that it was only a handful of companies that were affected. The campaign was essentially a phishing attack that also used password spraying and brute force attempts to access accounts.
“This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date. All customers that were compromised or targeted are being contacted through our nation-state notification process,” Microsoft’s Threat Intelligence Center said.
Microsoft discovered the compromise of its customer service agent as part of an investigation into ongoing activity by the threat group it refers to as Nobelium. The group is affiliated with the Russian SVR and is also known as APT29, and the U.S. government has attributed the compromise of SolarWinds and many of its customers to the group.
Microsoft did not specify where the compromised customer service agent was located or whether the person is a company employee or a contractor.
“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device,” MIcrosoft said.
The tactics that MIcrosoft describes Nobelium using in this campaign are typical of the way that many threat groups conduct phishing and targeted attack operations. Advanced threat groups often start their operations with relatively basic tactics to gain initial access to a target organization, and will then use more sophisticated tools and techniques to move laterally or escalate privileges. Nobelium is among the more active threat groups and is known for going after high-level targets such as government agencies, technology companies, and diplomatic entities.
MIcrosoft said that the customer service agent who was compromised in this recent operation only had access to a limited amount of customer information, and the person’s computer was set up to only have the lowest level of access necessary.
“The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust “least privileged access” approach to customer information,” Microsoft said.