In another sign of the Russian hackers who breached SolarWinds network monitoring software to compromise a slew of entities never really went away. The threat actor behind the malicious activity used password spraying and brute-force attacks to guess passwords and gain access to its customer account.
The recent activity was mostly unsuccessful and the majority of targets were not successfully compromised. While all the customers that were compromised or targeted are being contacted through the nation-state notification process.
The latest wave of intrusions is said to have been primarily IT companies, followed by government agencies, non-governmental organizations, think tanks, and financial services. With 45% of these attacks were location in the U.S., U.K., Germany, and Canada.
Microsoft reported that it detected information-stealing malware on a machine belonging to one of its customer support agents. This agent had access to basic account information for a small number of customers. The stolen customer information was subsequently used “in some cases” to launch highly-targeted attacks as part of a broader campaign that moved quickly to secure the device.
The revelation that the hackers have set up a new arm of the campaign comes a month after Nobelium targeted more than 150 different organizations located across 24 countries by leveraging a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails that enabled the group to deploy backdoors capable of stealing valuable information.
The development also marks the second time the threat actor singled out Microsoft after the company disclosed earlier this February the attackers had managed to compromise its network to view source code related to its products and services, including Azure, Intune, and Exchange.
What’s more, the disclosure arrives as the U.S. Securities and Exchange Commission (SEC) opened a probe into the SolarWinds breach to examine whether some victims of the hack had failed to publicly disclose the security event