SolarWinds hackers compromised Microsoft support agent

After placing information-stealing malware on a customer support agent's system, the Nobelium threat actors gained access to three Microsoft clients.

The nation-state group behind the SolarWinds attacks compromised a Microsoft customer support agent's system and then gained access to three client networks in a series of ongoing attacks.

In a blog post Friday, the Microsoft Threat Intelligence Center said it detected information-stealing malware on a machine belonging to one of its customer support agents. Basic account information for a small number of customers was stored on the machine, but Microsoft said it removed the access and secured the device. However, the stolen information was already abused by the SolarWinds hackers, which Microsoft identifies as the Nobelium threat group.

"The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign," Microsoft wrote in the blog

Further details on the attacks, broader campaign or who was affected were not provided. Microsoft declined to comment on the record.

The latest attacks by the SolarWinds hackers were first reported by Reuters on Friday, shortly after Microsoft disclosed the attacks in a blog post.

In that blog, the tech giant addressed employee security protocols. Microsoft confirmed that its support agents are configured with a zero-trust "least privileged access" approach to customer information. Microsoft began the transition to zero-trust over three years ago, though it became increasingly important when COVID-19 forced a new remote workforce and need to prioritize endpoint security.

In this case, however, it appears those protocols were not enough.

The investigation into the compromised machine, which is ongoing, was spurred after Microsoft observed the Russian nation-state group using tactics such as password spraying and brute-force attacks in recent campaigns. While these tactics can lead to devastating attacks, they are not sophisticated. 

According to the blog, the recent Nobelium activity was mostly unsuccessful, but there are three confirmed compromised entities so far. Additionally, the new activity was largely focused on the U.S. and targeted specific customers, primarily IT and government. Thirty-six countries were targeted overall. That number has increased since Microsoft's previous blog post detailing another series of Nobelium cyberattacks, which stated targeted victims spanned at least 24 countries.

In the blog last month, Microsoft said it observed a wave of attacks that targeted approximately 3,000 email accounts at more than 150 different organizations. It connected those attacks to Nobelium, the same actor behind the SolarWinds supply chain hack in 2020.

Initially, the SolarWinds hackers were not identified or associated with any specific nation until early 2021, when the White House said the attacks were likely of Russian origin. Microsoft officially identified the group as Nobelium in March. It was also revealed that its tools were new pieces of malware "unique to this actor." According to Microsoft, those "tools are tailor made for specific networks and are assessed to be introduced after the actor has gained access through compromised credentials."

In 2019, Nobelium used those tools to plant a backdoor in SolarWinds Orion platform, which was activated when customers updated the software. Subsequently, the nation-state group gained access to the networks and data of thousands of SolarWinds customers, including high-profile government agencies and major tech companies such as FireEye and Microsoft.

UPDATE 6/29: A SolarWinds spokesperson told SearchSecurity "The latest cyberattack reported by Microsoft does not involve our company or our customers in any way."

Microsoft said Nobelium has demonstrated a deep knowledge of software tools, deployments, security software and systems.

After conducting one of the broadest cyber attacks in history, it appears Nobelium activity has not slowed. Microsoft has continually observed new attacks and tactics, as documented in its recent blog posts. Like SolarWinds, the motives appear to be cyberespionage-related.

"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," Microsoft wrote in the blog.

Microsoft accused the group of undermining trust in the technology ecosystem. The company noted that it is clear Nobelium seeks to gain access to trusted technology providers and infect their customers by "piggybacking on software updates and now mass email providers."

Microsoft said it is notifying all customers impacted by the most recent compromise.

Next Steps

SolarWinds warns of zero-day vulnerability under attack

Microsoft's 'PrintNightmare' lingers, requires new patches

US Senate mulling bill on data breach notifications

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing