SolarWinds Hackers Compromise 14 Resellers In New Effort: Microsoft
‘Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling … targets of interest to the Russian government,’ writes Microsoft’s Tom Burt in a blog post.
The SolarWinds hackers have targeted more than 140 IT resellers and service providers and compromised as many as 14 since May in a new surveillance effort.
The Russian foreign intelligence service (SVR) hopes to piggyback on any direct access resellers have to their customers’ IT systems and impersonate them to gain access to their downstream customers, said Tom Burt, Microsoft’s corporate vice president of customer security and trust. But unlike the SolarWinds attack, the hackers have not attempted to exploit any flaw or vulnerability in software this time around.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling--now or in the future--targets of interest to the Russian government,” Burt wrote in a blog post Sunday.
[Related: SolarWinds Hackers Stole Info From Microsoft AD Servers In New Attack]
The SVR is leveraging well-known techniques like password spray and phishing to steal legitimate credentials and gain privileged access to resellers, according to Burt. The attacks on resellers have been part of a larger wave of SVR activities this summer, with Microsoft notifying 609 customers since July 1 that they’ve been attacked 22,868 times by the SVR, with a success rate in the low single digits.
The U.S. government blamed the SVR in April for the colossal SolarWinds attack, which compromised nine federal agencies as well as more than 100 private sector organizations. The SVR is also known as APT 29, Cozy Bear and Nobelium. Microsoft said the latest campaign is focused on resellers that customize, deploy and manage cloud services and other technologies on behalf of their customers.
“This recent intrusion activity has involved leveraging stolen identities and the networks of technology solutions, services and reseller companies in North America and Europe to ultimately access the environments of organizations that are targeted by the Russian government,” said Charles Carmakal, senior vice president and CTO of Mandiant, which is working with organizations impacted by the SVR’s latest campaign.
Mandiant has seen downstream victims in North America and Europe thus far, and the intrusion activity is ongoing, according to a company spokesperson. The SVR has targeted the privileged accounts of service providers to move laterally in cloud environments, leveraging their trusted relationships to gain access to downstream customers and enable further attacks or access targeted systems, Microsoft said.
“This attack path makes it very difficult for victim organizations to discover they were compromised and investigate the actions taken by the threat actor,” Carmakal said in a statement. “It shifts the initial intrusion away from the ultimate targets, which in some situations are organizations with more mature cyber defenses, to smaller technology partners with less mature cyber defenses.”
In the observed supply chain attacks, downstream customers of resellers and service providers are also being targeted by the SVR, Microsoft said. In these instances, customers have delegated administrative rights to the resellers and service providers that allow the solution provider to manage the customer’s tenants as if they were an administrator within the customer’s own organization, Microsoft said.
By stealing credentials and compromising accounts at the service provider level, Microsoft said the SVR can take advantage of delegated administrative privileges, leveraging that access to extend downstream attacks through externally facing VPNs or unique tools that enable network access. This attack path has been used to obtain access to both on-premises and cloud victim environments, according to Carmakal.
“These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by administrators,” the Microsoft Threat Intelligence Center (MSTIC) wrote in a blog post Monday.
Starting in November, Microsoft said a new reporting tool will be available that identifies and displays all active delegated administrative privilege connections to help companies discover unused connections. This tool will provide reporting that captures how partner agents are accessing client tenants through these privileges and will allow partners to remove the connection when not in use, Microsoft said.
In one attack chain observed by MSTIC during the latest campaign, the SVR chained together access across four distinct service providers to reach their end target. This demonstrates the breadth of techniques the SVR leverages to exploit and abuse trust relationships to accomplish their objective, according to Microsoft.
“Cloud service providers and other technology organizations who manage services on behalf of downstream customers will be of continued interest to persistent threat actors and are at risk for targeting via a variety of methods from credential access to targeted social engineering via legitimate business processes and procedures,” MSTIC wrote in its blog post.