EXECUTIVE SUMMARY:
A customer support representative’s account was breached. The hackers responsible for this attack are the same ones who launched the SolarWinds campaign; Nobelium. Basic information from customer accounts may have been affected.
Here’s how it happened: The hackers leveraged fraudulent phishing emails to send information-stealing malware to customer support personnel and machines. The data discovered on the machines was then weaponized for the purpose of targeting major industry groups; from IT companies, to government agencies, to NGOs and think tanks.
The basic information accessed
- Information about support cases
- Subscription account meta data
- Services paid for by customers
- Billing details
The computer tainted by information-stealing malware has since been secured. A “small number” of affected customers have received notification concerning the breach. Recipients of notifications are advised to exercise caution in regards to online interactions with billing contacts and to change account credentials for associated platforms.
Lawmakers and this intrusion
While most are still taking in the details, House Homeland Security Chair, Bennie Thompson (D-Miss.) asserts that this latest attack emphasizes the need for the public sector and the private sector to “step up their game,” regarding security. Historically, Nobelium’s hacks have gone undetected for significant lengths of time.
This attack represents how modern cyber crime extends beyond small-scale scams. Rather, it targets major economic engines. Massive cyber attacks are no longer simple to squash. At this point, they’re national security threats and can potentially result in a disruptive domino effect that can shut down organizations worldwide.
Could the recent spate of cyber attacks boil down to leaked ‘cyber superweapons’? Check Point research experts note that major powers around the world are focused on cyber weapons development; these can be launched in seconds, and can cause “fatal damage and irreparable harm” to organizations.
Nobelium’s phishing campaigns
Phishing campaigns conducted by Nobelium have largely been far-reaching. The fallout from this one may affect organizations in as many as 36 countries. A previous phishing campaign, in which hackers pretended to work with the US Agency for International Development (USAID), saw hackers trying to gain entry into 150 enterprises across more than 20 nations.
Microsoft warns that Nobelium is also following through on password spraying and brute-force attacks in order to gain unauthorized system entry and to access business information. According to Microsoft, the majority of Nobelium’s recent attacks have not led to corporate harm.
Basic information: Nobelium
The Nobelium hacker group is also known as Cozy Bear, Apt 29 and The Dukes. Among the more active threat groups, Nobelium targets high-level organizations, from technology companies, to government agencies, to diplomatic entities. The group is responsible for the well-known:
Nobelium aims to access internal networks and to then either escalate privileges or to move laterally across the network—depending on the type of attack. They gain an initial foothold in an ecosystem and the advance activities from there.
These types of breach attempts are not new. Organizations are advised to take security precautions. This includes enabling multi-factor authentication and leveraging zero-trust policies.
Sweeping investigations into Nobelium’s activities remain ongoing. For additional basic information about Nobelium, visit CISA’s website.
