In an advisory released on October 24, Microsoft announced ongoing campaigns it has attributed to the Nobelium state-sponsored threat group. IBM X-Force tracks this group as Hive099. If the name sounds familiar, that’s because it is the same group that targeted SolarWinds in 2020. The U.S. government has identified Nobelium as part of Russia’s foreign intelligence service known as the SVR.

Microsoft warns that the activity they are seeing appears to focus on cloud service resellers, technology providers, and their downstream customers in Europe and the U.S. organizations are urged to take notice and act to mitigate the risk of compromise.

Abusing digital trust relationships

The ongoing wave of attacks is designed to abuse trusted relationships, such as delegated administrative privilege (DAP). Those can enable attackers to move through the channels that underpin provider/customer relationships. With the goal of compromising accounts at the service provider level, activity has persisted through summer of 2021 and does not appear to exploit any specific vulnerabilities. Instead, the attackers are reported to be using a toolkit of malware, password spraying, API abuse, and spear-phishing to obtain stolen credentials and infiltrate networks with privileged access.

These attack tactics are not novel, and organizations can arm themselves better to reduce the chance of compromise by using multi-factor authentication. Further mitigation can come from restricting the use of privileged access by employees and third parties alike. It is also recommended to review DAP and terminate unused access or places where suspicious activity may have been logged.

Remain vigilant

At this time, IBM recommends that organizations with increased risk to Nobelium attacks begin looking into their specific implementations, both in cloud environments and on premises.

IBM is closely monitoring the overall situation and is engaged with clients and the security community. More details can be found in our designated X-Force Exchange collection, which will be updated as this situation evolves.

Assistance is also available to assist 24×7 via IBM Security X-Force’s US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today