This year, Nobelium has made several attempts to attack US customers of the global IT supply chain. Their focus now lies on resellers and related tech service providers that operate cloud services and other technologies for their clients. Cybersecurity experts speculate that out of 140 resellers targetted by Nobelium since May 2021, 14 have already been compromised.
Nobelium is the same actor behind the cyberattacks against SolarWinds customers in 2020 and one of the most notable Russia-based cybercriminal groups in the world right now. Also, it has been linked with Russia's foreign intelligence service, SVR.
The group also attacked over 600 Microsoft customers 22,868 times between July 1 and October 19 this year. A recent consolidated report on this group's activities has been included in the Microsoft Digital Defense Report published this month.
According to the Microsoft Threat Intelligence Center (MSTIC), Nobelium is using scripted capabilities such as RoadTools, AADInternals, and others for Azure AD false authentications based entry into live scripting environments. They want to get long-term persistence and sensitive info access. In particular, Nobelium has been focussing on high-tier privilege users such as Global Administrators to perform Azure RunCommand-based pairing with Azure admin-on-behalf-of (AOBO) to infiltrate virtual environments.
Most of the attacks on clients of US companies are predicated on phishing for passwords or spraying logins to gain access. Cybersecurity experts have recommended certain techniques for protecting legit online actors, such as specific security protections on Partner Portal access and multi-factor authentication (MFA). Other techniques include using delegated administrative privilege (DAP), Microsoft Cloud App Security (MCAS), M365 Defender, Azure Defender, and Azure Sentinel.