The hacking group behind the infamous SolarWinds incident, Nobelium, is making headlines again.
The Microsoft Threat Intelligence Center says it has observed new activity from the cybercrime group, mainly password spray and brute-force attacks.
Plus, Microsoft says it has uncovered that one of its customer service systems was under an ongoing attack and being used to launch highly targeted attacks against some Microsoft customers.
Who was Nobelium targeting in this Microsoft attack?
Microsoft researchers offered some interesting details about who Nobelium focused on in these recent attacks:
"This activity was targeted at specific customers, primarily IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services."
The tech giant also analyzed the attacks based on geography:
"The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted."
And it apparently stumbled into an ongoing cyberattack which was being used as a springboard to attack Microsoft customers.
"As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers.
The actor used this information in some cases to launch highly targeted attacks as part of their broader campaign. We responded quickly, removed the access, and secured the device.
The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust 'least privileged access' approach to customer information. We are notifying all impacted customers and are supporting them to ensure their accounts remain secure. "
Microsoft has contacted all of its targeted customers through its nation-state notification process.
