CyberWire staff | thecyberwire.com »
Microsoft has determined that the threat group responsible for the SolarWinds incident, Nobelium (a.k.a APT29 and Cozy Bear), is continuing to launch supply chain attacks, this time focusing on technology services companies including cloud services providers. The Russia-linked cybergang is apparently unintimidated by the Biden administration’s efforts to hamper their activities, as Mandiant’s vice president of intelligence analysis John Hultquist told the Hill, “They have intelligence requirements that they are tasked with fulfilling, and they are unlikely to be deterred from doing that, that’s their job.” Security Week reports that Mandiant has detected downstream targets in North America and Europe, and the research firm offers suggestions for remediation strategies for entities that might be in the cybercriminals’ crosshairs.
Troy Gill, Senior Manager of Threat Intelligence at Zix | AppRiver sees the challenge of software supply chain attacks as a case of the abuse of legitimate services:
“Supply chain attacks continue to make headlines in 2021 and it seems that Nobelium continues to be a common thread. It all started when the Nobelium hacking group compromised the distribution systems for SolarWinds’ Orion IT network management platform followed by a spear-phishing email campaign Microsoft alerted to in May of this year. Now, the threat actor is relying on spray-and-pray credential stuffing and phishing to steal legitimate credentials and gain privileged access by attacking resellers and technology service providers that customize, deploy and manage cloud services.
“Earlier this year, the Biden administration reacted to supply chain attacks by releasing the “Executive Order on Improving the Nation’s Cybersecurity” that contains language with the purpose of securing the U.S. federal government’s software supply chain. The executive order leverages supply chain security as part of a broader effort to modernize the U.S. federal government’s cybersecurity and requires that federal agencies adopt zero-trust architecture and uphold this new security model by implementing security best practices such as encryption and MFA. This was a step in the right direction to protecting and defending organizations from such attacks, but there are steps organizations must take themselves.
“These attacks underscore how threat actors continue to misuse legitimate services to help their campaigns evade detection. Traditional email security solutions will not protect them against these sophisticated attacks. In response, organizations need to upgrade their email security posture with a solution that’s capable of scanning incoming correspondence for campaign patterns, malware signatures, IP addresses, and other threat behaviors. This analysis should occur in real time so that legitimate correspondence can reach its intended destination without delay.”
Saryu Nayyar, CEO of Gurucul, expects no let-up in Russian cyberespionage:
“Not content with resting on its laurels in the wake of the largely successful SolarWinds attack, Russian state actors have been pursuing further attacks on US tech companies, as well as government agencies and think tanks. While relatively few of these attacks have succeeded, even one success is too many.
“Every organization, no matter what their purpose, has to do a better job of protecting their assets. You can’t rely on “security by obfuscation” or security by cloud providers if you’re serious about keeping attackers out. A program of data collection and analytics, coupled with real time risk assessment is the only way to protect yourself against threats.”
Josh Brewton, vCISO at Cyvatar, is unsurprised by Russia’s failure to live up to undertakings that agreed to norms of conduct in cyberspace:
“Russia’s broken promises should come as no surprise. Adversarial countries continue to make empty promises, all while funding offensive operations around the globe. With this, there has been an exponential increase of attacks attempted by nations and their state-sponsored counterparts over the last year. It has become abundantly clear there are alternative methods to traditional warfare to destabilize economies and administrations alike.
“The U.S. attempts to remedy deficiencies within the Defense Industrial Base(DIB) by enforcing new or increased forms of compliance, namely, the Cybersecurity Maturity Model Certification(CMMC). The CMMC no longer allows organizations to operate as part of the DIB with glaring vulnerabilities masked with the promise of getting fixed. You will need to become certified and maintain the required level of security or cease your operations with the government.
“While this covers a large swath of organizations, it leaves the question of those with no direct relationship with the government. The private sector vulnerability will start to be corrected by the increased use of vendor risk management and basic security requirements required baked into contractual agreements between organizations. Few can afford to have a security breach occur within their organization or any organization they do business with. The increased pressure in the private sector between partners will drive a simple choice; comply with the required security baseline or experience client churn and the loss of future clients.”
Demi Ben-Ari, CTO and Co-Founder of Panorays, sees this form of supply chain compromise as simply an instance of continuing to play a winning hand:
“When cybercriminals find an attack method that works, they stick with it. So it’s not surprising that the Nobelium threat group, which was responsible for the massive SolarWinds supply chain attack last year, is continuing to target downstream customers through their service providers in order to inflict maximum damage. Rather than exploiting vulnerabilities or security flaws, the group is now using methods such as credential stuffing, phishing and API abuse to gain access to systems.
“The good news is that organizations can help prevent these kinds of attacks by implementing security best practices including enabling MFA and minimizing access privileges. To accomplish this rapidly and effectively, however, it’s crucial to have a robust and automated third-party security management program in place to assess supply chain partners, close cyber gaps and continuously monitor for any issues.”
External Link: SVR’s Supply Chain Cyberespionage