SolarWinds Hackers Compromise Three Microsoft Customers

‘A sophisticated Nation-State associated actor that Microsoft identifies as NOBELIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscription,’ says Microsoft in an email to affected customers.

The hackers behind the SolarWinds campaign breached a Microsoft support agent’s machine and used the account information they obtained to launch highly-targeted attacks against customers.

The Redmond, Wash.-based software giant said Friday that it’s aware of three customers compromised by the Russian foreign intelligence service (SVR) in its latest effort, though many more were targeted. More than half of the Microsoft customers targeted by the SVR were IT companies, and a plurality of the organizations in the SVR’s crosshairs were in the United States, according to Microsoft.

“A sophisticated Nation-State associated actor that Microsoft identifies as NOBELIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscription,” Microsoft wrote in a warning to affected customers, according to Reuters. Microsoft didn’t immediately respond to CRN requests for comment.

[Related: SolarWinds Hackers Used Constant Contact Email Service In Phishing Attack]

The U.S. government formally blamed the SVR in April for the colossal SolarWinds attack, which compromised nine federal agencies as well as more than 100 private sector organizations. The SVR is also known as APT 29, Cozy Bear and Nobelium.

The three Microsoft customers ultimately compromised by the SVR succumbed to password spray or brute force attacks, according to a company spokesperson. Microsoft said it hasn’t identified any customers who were successfully compromised as a result of the account information taken from the breached customer support agent’s machine.

Microsoft said it terminated the SVR’s access to the customer support agent’s machine and is contacting all compromised or targeted customers through its nation-state notification process. The company said its support agents are configured with the minimal set of permissions required as it relates to customer information. Microsoft didn’t say whether the customer support agent is an employee or a contactor.

In addition to IT companies – which made up 57 percent of the SVR’s targets – the hackers also went after Microsoft customers in the government, non-governmental organization (NGO), think tank and financial services spaces. Forty-five percent of the SVR’s targets in this campaign were based in the U.S., with smaller numbers headquartered in the United Kingdom, Germany, Canada and 32 other countries.

“This appears to be largely unsuccessful, run-of-the-mill espionage,” a White House official told Reuters. A majority of the SVR’s targets in the campaign weren’t actually compromised, according to Microsoft.

A SolarWinds spokesperson told CRN the latest cyberattack reported by Microsoft doesn’t involve SolarWinds or its customers in any way.

This is the second time the SVR’s offensive activities have become public since the SolarWinds campaign took place. Last month, Microsoft revealed the SVR used a government agency’s account credentials for the cloud email marketing service Constant Contact in a phishing campaign that led to the breach of 3,000 email accounts across 150 organizations.

The SVR launched its May attack by breaching the Constant Contact account of the United States Agency for International Development, or USAID, Microsoft said. From USAID’s Constant Contact account, the SVR was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a backdoor that could enable stealing data as well as infecting other computers on a network.