(CN) — Microsoft said it has observed new hacking activity from the Russia-backed group behind the massive cyberattacks that targeted SolarWinds software customers last year.
Tom Burt, corporate vice president of customer security and trust at Microsoft, said in a blog post Sunday that the hackers responsible for last year’s ransomware attack on software used by government agencies are going after technology service providers and “organizations integral to the global IT supply chain.”
This type of supply chain attack enables hackers to steal information from several targets by breaking into a product they all use.
Microsoft says the hacking group, known as Nobelium or Cozy Bear, has recently targeted about 140 resellers and providers that customize, deploy and manage cloud services and other technologies for customers.
According to the tech giant, Nobelium has compromised 14 technology service providers using phishing emails and a technique known as password spray, which involves checking commonly used passwords against multiple accounts before moving on to attempt a second password.
Burt says these attacks have been a part of a larger wave of nefarious Nobelium activities over the summer.
“In fact, between July 1 and October 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a success rate in the low single digits,” the blog post says. “By comparison, prior to July 1, 2021, we had notified customers about attacks from all nation-state actors 20,500 times over the past three years.”
Microsoft says it has been monitoring Nobelium’s latest activity since May, and has been working with U.S. and European government agencies.
U.S. officials last year blamed the SolarWinds hack on SVR, a Russian intelligence agency that breached the Democratic National Committee’s networks during the 2016 presidential election. Nobelium is said to be backed by SVR.
The massive hack was first disclosed last December but the U.S. Cybersecurity and Infrastructure Security Agency said it began “in at least March 2020." Federal officials have described the cyberattack as “the worst hacking case in the history of America," affecting over 18,000 private and government clients.
Hackers used the SolarWinds network management software to break into the computer systems of the U.S. Departments of Commerce, State, Homeland Security and the Treasury, as well as the National Institutes of Health along with thousands of private companies across the globe.
In April, President Joe Biden imposed sanctions on several Russian financial institutions and technology companies believed to be involved in recent cyberattacks, including the SolarWinds breach. Secretary of State Antony Blinken said the sanctions "are intended to hold Russia to account for its reckless actions."
Burt wrote in Sunday's blog post that Nobelium's recent activity shows Russia is still trying "to gain long-term, systematic access to a variety of points in the technology supply chain" and use it to spy on certain targets.
"Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful," he wrote.