In an advisory released on October 24, Microsoft announced ongoing campaigns it has attributed to the Nobelium state-sponsored threat group. IBM X-Force tracks this group as Hive099. If the name sounds familiar, that’s because it is the same group that targeted SolarWinds in 2020. The U.S. government has identified Nobelium as part of Russia’s foreign intelligence service known as the SVR.

Microsoft warns that the activity they are seeing appears to focus on cloud service resellers, technology providers, and their downstream customers in Europe and the U.S. organizations are urged to take notice and act to mitigate the risk of compromise.

Abusing digital trust relationships

The ongoing wave of attacks is designed to abuse trusted relationships, such as delegated administrative privilege (DAP). Those can enable attackers to move through the channels that underpin provider/customer relationships. With the goal of compromising accounts at the service provider level, activity has persisted through summer of 2021 and does not appear to exploit any specific vulnerabilities. Instead, the attackers are reported to be using a toolkit of malware, password spraying, API abuse, and spear-phishing to obtain stolen credentials and infiltrate networks with privileged access.

These attack tactics are not novel, and organizations can arm themselves better to reduce the chance of compromise by using multi-factor authentication. Further mitigation can come from restricting the use of privileged access by employees and third parties alike. It is also recommended to review DAP and terminate unused access or places where suspicious activity may have been logged.

Remain vigilant

At this time, IBM recommends that organizations with increased risk to Nobelium attacks begin looking into their specific implementations, both in cloud environments and on premises.

IBM is closely monitoring the overall situation and is engaged with clients and the security community. More details can be found in our designated X-Force Exchange collection, which will be updated as this situation evolves.

Assistance is also available to assist 24×7 via IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Government

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today