SHARED INTEL: Microsoft discloses how the Nobelium hacking ring engages in routine phishing

By Byron V. Acohido

Microsoft has blunted the ongoing activities of the Nobelium hacking collective, giving us yet another glimpse of the unceasing barrage of hack attempts business networks must withstand on a daily basis.

Related: Reaction to Biden ‘s cybersecurity executive order

Nobelium is the Russian hacking collective best known for pulling off the milestone SolarWinds supply chain hack last December. That caper required the intricate counterfeiting of software updates sent out automatically by SolarWinds to 18,000 customers. And yet, for all of its sophistication, Nobelium also engages in routine phishing campaigns to get a foothold in targeted organizations. This of course is how they get a toehold to go deeper.

In this case, the attackers leveraged information gleaned from a Microsoft worker’s computing device. In a blog posting, Microsoft disclosed that it “detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers” and that “the actor used this information in some cases to launch highly targeted attacks as part of their broader campaign.”

Microsoft said it notified the targeted 150 organizations, which included “IT companies (57%), followed by government (20%), and smaller percentages for non-governmental organizations and think tanks, as well as financial services.” Some 45 percent of the targeted entities  were based in the US, 10 percent were based in the UK, and the rest were spread across 36 different countries. Only three of the 150 entities actually got compromised.

Simple techniques

“Once again, we are seeing how modern cyber crime is targeting more than just individuals or small organizations,”  observes Erich Kron, security awareness advocate at KnowBe4. “These attacks are no longer a nuisance, but instead represent a real and significant threat to our national security.


“This group has been in business for a long time and has made a name for itself with its successes. This round of attacks, including simple but effective techniques such as password spraying, the process of using a known email address coupled with common passwords, such as 12345678, shows how powerful low-tech approaches are.

“To help protect against these types of attacks, organizations should enable multi-factor authentication (MFA) on login accounts when available, monitor for brute force attempts and educate users on the importance of password hygiene, such as using unique and strong passwords, in the battle against cyber crime.”

Cyber hygiene works

Chris Clements, vice president of solutions architecture at  Cerberus Sentinel notes that the adds Nobelium’s latest attacks aren’t anything fancy. They revert back to the tried-and-true technique of compromising victims’ passwords to gain access to their accounts.


“Passwords alone haven’t been sufficient enough to keep hackers out for a long time and it’s only getting worse,” Clements says. “Picking passwords that are both strong and unique to each site or application can be daunting but there are mnemonic devices and password managers that can ease the burden, but the biggest security improvements an individual user can make come from implementing non-SMS based two factor authentication for all their accounts.

“Organizations can also go a step further in shoring up defenses against password attacks by implementing conditional access as well as continuously monitoring for suspicious activity like credential stuffing attacks against their environment.”

This is gets back to the importance of cyber hygiene, folks. It’s a sign of progress that only three of 150 compromise attempts were successful. We’re moving in the right direction. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone