Guidance for partners and customers on Nobelium targeted attacks

Microsoft released guidance to help partners and customers protect against nation-state activity associated with the threat actor tracked as Nobelium. Nobelium is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor’s compromise-one-to-compromise-many approach. Microsoft has notified organizations that the Microsoft Threat Intelligence Center (MSTIC) has observed being targeted or compromised by Nobelium through our nation state notification process.

To reduce the potential impact of this Nobelium activity, cloud service providers (CSP), managed service providers (MSP), and other IT services organizations that rely on delegated administrative privileges (collectively, “service providers”) or have been granted other administrative privileges by their customers, should review the guidance below and implement mitigations for your own organization and your customers immediately.

Microsoft has observed Nobelium targeting privileged accounts of service providers to move laterally in cloud environments, leveraging the trusted technical relationships to gain access to downstream customers and enable further attacks or access targeted systems.

These attacks are not the result of a product security vulnerability but rather a continuation of Nobelium’s use of a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing to compromise user accounts and leverage the access of those accounts. These attacks have highlighted the need for all administrators to adopt strict account security practices and take additional measures to secure their environments.

In the observed supply chain attacks, downstream customers of service providers and other organizations are also being targeted by Nobelium. In these provider/customer relationships, a customer delegates administrative rights to the provider to allow the provider to manage the customer’s tenants as if they were an administrator within the customer’s organization.

By stealing credentials and compromising accounts at the service provider level, Nobelium can take advantage of several potential vectors, including but not limited to delegated administrative privileges (DAP), and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access.

Read the Microsoft Partner blog for partner and downstream customer guidance and take immediate action. RPG is sharing this content to make CUSTOMERS aware, as we have reviewed internal systems over the last several weeks to insure the highest level of security.

Read the Microsoft Partner blog for partner and downstream customer guidance and take immediate action