At a glance.
- Microsoft describes a major SVR supply chain campaign.
- Israel promises Pegasus will not target France.
- A look at China’s cyber power.
Russia's SVR is engaged in a major attempt to compromise software supply chains.
Researchers at Microsoft disclosed they’ve detected fresh activity from Nobelium, the threat group linked to Russia's foreign intelligence service SVR and responsible for last year’s massive SolarWinds attack. Returning to their approach of targeting essential links in the technology supply chain, the group is focusing on global IT resellers and service providers, with the intent of impersonating trusted tech partners in order to gain access to lucrative client data in cloud storage. As the New York Times points out, the news comes just months after US President Joe Biden imposed sanctions on Moscow in response to the series of recent attacks from Russia-linked cybergangs. Though it’s unclear just how successful the new operations have been, Microsoft says Nobelium has targeted over six hundred companies 22,868 times between July and October of this year, more than the total of all attacks from all nation-state threat actors in the past three years. However, a US government official downplayed the attacks, telling the Wall Street Journal, “Based on the details in Microsoft’s blog, the activities described were unsophisticated password spray and phishing, run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments.”
Mandiant has also been investigating Russian cyberespionage activities. The company's SVP and CTO, Charles Carmakal, wrote to contrast this most recent activity with the SolarWinds compromise. The SolarWinds incident involved insertion of malicious code into a software product. The recent campaigns have instead exploited stolen identities and vendor networks:
“Mandiant has investigated multiple intrusions in 2021 where suspected Russian threat actors exploited supply chain relationships between technology companies and their customers. While the SolarWinds supply chain attack involved malicious code inserted in legitimate software, most of this recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services, and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government. This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor. This is particularly effective for the threat actor for two reasons: First, it shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses and second, investigating these intrusions requires collaboration and information sharing across multiple victim organizations, which is challenging due to privacy concerns and organizational sensitivities. We’ve observed this attack path used to obtain access to on-premises and cloud victim environments. Similar to the victimology observed in the 2020 campaign, the targets of this intrusion activity appear to ultimately be government organizations and other organizations that deal in matters of interest to Russia. The intrusion activity is ongoing and Mandiant is actively working with organizations that are impacted.”
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, thinks the attempt against supply chains is a harbinger of more to come in 2022. Such attacks offer both criminals and intelligence services a good cost-benefit proposition:
“Supply chain attacks will certainly continue their surge in 2022. Suppliers are the Achilles’ Heel of the largest financial institutions, governmental institutions and providers of critical national infrastructure. Compared to frontal attacks against the victims, silence attacks against third parties are generally faster, cheaper and less noisy. Moreover, suppliers may also have access to more data than the victims themselves, for example, by storing more data in backups than contractually allowed or expected. Worse, some suppliers fail to detect sophisticated intrusions and the victims are never even notified about the incident.
Kolochenko adds that attribution of such attacks remains challenging, especially with the complex interplay among criminal gangs, privateers, and intelligence services:
"Attribution of supply chain attacks, likewise, remains a highly complex issue, both technically and legally speaking. Cyber gangs actively cooperate with each other, outsourcing some specific tasks to their accomplices in different countries. Few cyber mercenaries will ever conduct research for new 0day vulnerabilities or create novel stealth trojans, for instance. Instead, they will just buy it from numerous groups specialized in the domain, saving time and money. Furthermore, some nation-state actors may hire several hacking groups and creatively split a task between them. Frequently, cyber gangs are purposely hired from countries like Russia or China to mislead the victim and confuse the investigators. Eventual attribution to a specific person, organization or even country is thus overly problematic. International collaboration and further expansion of such treaties as the Budapest Convention are essential to curb transnational cybercrime."
And of course the supply chain needs to be aware of the threats so it can better secure its links. Neil Jones, Cybersecurity Evangelist at Egnyte, applauds Microsoft's decision to warn resellers and partners:
“It's reassuring to see that Microsoft is proactively warning its resellers and technology service providers about the newest wave of cyber-attack attempts by Nobelium. This is especially important when we consider that the global supply chain is already under extreme pressure as major economies recover from the pandemic. Since the latest wave of attacks doesn't appear to prey upon specific vulnerabilities or security flaws, companies can safeguard themselves by deploying tried-and-true cyber-protection techniques, such as proven Multi-Factor Authentication (MFA), e-mail protection and suspicious login detection solutions. These tactics will go a long way in combating the credential stuffing, phishing and token theft tactics that have characterized the most recent wave of Nobelium attacks.”
Danny Lopez, CEO of Glasswall, would like the IT supply chain to become as interested in its vulnerabilities as the threat actors are:
“IT supply chain companies must act now to avoid becoming the next SolarWinds. With Nobelium surveying global organisations for weak points, shoring up security infrastructure is absolutely critical. According to Microsoft researchers, the nation-state adversaries are not leveraging specific vulnerabilities at this time but are using old school credential stuffing and phishing as well as API abuse and token theft in order to gather legitimate account credentials. If successful, lateral movement across the compromised organisation’s network would be the next stage, allowing for data theft, reconnaissance, compromise of customer systems and more.
"To prevent these attackers from gaining privileged access and wreaking havoc, organisations need to adopt robust processes for onboarding and offboarding employees and affiliates that may receive access to key information systems. It's vital to control privileged access and to monitor those that enjoy that administrator privilege. Ensuring that multi-factor authentication is enforced wherever possible, is a vital defence where user credentials find their way into the public domain. This will help to limit the blast radius, and in most cases, defeat the data breach.
"Adversaries are also constantly looking to probe vulnerabilities and to insert malware into the environment, often using everyday business documents which we all use or carefully crafted phishing emails with compromised documents within."
Israel promises Pegasus will not target France.
In the aftermath of the Pegasus Project, the massive exposé which revealed that Israeli tech company NSO’s Pegasus spyware was allegedly being used for illicit surveillance all over the world, the Wire reports that the Israeli government has struck a deal with France. After discovering that several French officials, including French President Emmanuel Macron, were among the 50,000 individuals listed as potential targets of Pegasus spyware, Macron’s top adviser Emmanuel Bonne met for “secret talks” with Israeli national security advisor Eyal Hulata. Hulata reportedly agreed to prohibit the surveillance of French cell phones in any future deals between an Israeli firm and another country. Asharq Al-Awsat explains that the French administration halted much French-Israel diplomacy after the Pegasus Project, so Hulata’s promise is likely an attempt to smooth out any kinks in the nations’ relationship. An NSO spokesperson told the New Arab “It is not for NSO to comment on the existence of content of diplomatic meetings...However, regarding the allegations of Pegasus Project, we stand by our previous statements: the so-called list is not a list of Pegasus targets, hence the French government officials mentioned are not and never have been Pegasus targets.”
A look at China’s cyber power.
Lawfare imagines what it would look like if China were to draft its own declaration of its cybersecurity goals similar to the US Cyber Command‘s Command Vision statement. To be clear, there’s no reason to believe China is writing any such document, but the hypothetical is a thought experiment intended to illustrate how China and the US’s other competitors likely view America’s objectives as threatening. Lawfare posits that voluntary adherence to behavioral norms like those proposed in 2016 by former legal adviser to the US State Department Brian Egan could reduce international tensions and promote cooperation.
Also considering China’s cyber capabilities, War on the Rocks examines China’s Tianfu Cup, a bug-bounty competition that showcases the nation’s best and brightest hackers, and how it gives China an opportunity to parade its prowess. Tianfu was launched in 2017 after the Chinese government banned its researchers from participating in international competitions, feeling they were publicizing innovative exploits that could be used for government intelligence purposes and exposing the hacks to prying Western eyes. Tianfu has a baked-in sanction protecting the competitors’ work from outside pressures, while simultaneously giving the Chinese government first dibs on the participants’ findings. Moreover, the vulnerabilities highlighted by the competition, such as the bugs discovered in the Microsoft Exchange mail server during the 2021 Cup, essentially point out weaknesses in Western tech and leave them exposed to future intrusion.