Navigating Nobelium: Lessons from Cloud Hopper and NotPetya cyberthreats
In December 2020, the threat of supply chain attacks started to seem real to a lot of people. That’s when FireEye/Mandiant dropped its bombshell report about a major “global intrusion campaign” delivered through Trojan-implanted updates of SolarWinds’ popular Orion software. About 18,000 SolarWinds customers downloaded the update, though the attackers then focused on a subset of high-value targets, including major corporations and federal government agencies.
The SolarWinds incident made a strong point about the far-reaching impact of attacks on the supply chain, particularly because the group behind the campaign hasn’t stopped. Microsoft detailed in October 2021 that the Russia-based advanced persistent threat (APT) group, which Microsoft calls Nobelium, has branched out from the software supply chain to target IT service providers — including cloud service providers (CSPs) and managed service providers (MSPs) — exploiting privileged and administrative credentials to gain access to downstream customers.
Although Nobelium’s activities display a high level of sophistication, its latest campaign isn’t new. In 2016–2017, I was part of a team at PwC charged with incident response for two major campaigns. The first was a years-long campaign by a Chinese nation-state hacking group that targeted MSPs in order to gain access to major organizations worldwide, known as Operation Cloud Hopper. The second was the NotPetya global ransomware campaign, which was strikingly similar to SolarWinds in that the actors compromised the software update system of the Ukrainian MeDoc accounting software. The lessons from both are extremely valuable for organizations now defending themselves from Nobelium and the inevitable technology supply chain attacks that are to come.
I expect we’ll see frequent reports about the activities of Nobelium and other threat actors that are living off the land across these supply chains. Nearly every organization should assume it is at risk, but there are ways of countering the APT’s tactics. Here are several approaches that are essential for enterprises to continuously investigate their networks.
Engage in Continuous Risk Assessments of Third-Party Providers
You should conduct detailed third-party risk assessments that cover not just technical security controls but governance, risk, and compliance. Continuous monitoring, logging, and review of activities between your organization and third parties can be measured against a pre-established baseline of normal activity to help detect anomalies. Having the right checks and balances in place can help mitigate threats coming via providers.
Thoroughly Understand Attack Vectors Across the Supply Chain
Service providers have joined hardware and software as prime targets for attackers. A comprehensive approach to security must include an understanding of the threat landscape, as well as threat groups and their tactics, such as using compromised credentials to exploit unpatched software. A complete view of potential threats — including those to system architecture, access, and authentication controls — must be compared not only against the state of your critical systems but also the security postures of partners.
To read the complete article, visit Dark Reading.