A new Russian cyberattack has called into question thousands of computers belonging to US companies and official bodies, Microsoft revealed on Monday in a blog post. According to Tom Burt, its vice president for security affairs, it is a campaign by the “Russian Nobelium agency”. It’s the same group of pirates “that was behind the SolarWinds incident in 2020 (in Q2) and that the US Government and others identified as part of the SVR [Serviço de Inteligência Estrangeiro Russo]”.
The offensive comes seven months after President Joe Biden announced sanctions against Moscow in April for his responsibility in several such episodes, and just two weeks after he organized a meeting with 30 countries and the European Union to discuss cybersecurity issues, to which Russia was not invited. The absence is due to the fact that, as explained by a senior White House official, there are bilateral instances in which these issues are being discussed “in a frank and direct manner”. Judging by the latest news, candor is not bearing the desired results.
The attack falls under the category of espionage (looking for industrial or pharmaceutical secrets) rather than sabotage, a pattern that has been repeated in several of the most notorious campaigns of the past two years, which have caused millions in losses for US companies and affected the supply of oil or meat. In this type of operation, hackers use the technique of ransomware, a software malicious that hijacks a computer system and encrypts the data until a ransom is paid, usually in cryptocurrency.
Sanctions against Moscow
Washington imposed harsh sanctions on Russia on April 15 for, among other reasons, interfering with the 2020 US presidential election. Biden said then that he briefed the Russian president in a “respectful and sincere” telephone conversation. “I was clear with the president [Vladimir] Putin. The United States could have gone further, but we decided not to. But if Russia takes another step in its interference, we are prepared to respond.” Moscow reacted with the threat of vigorous measures.
The latest cyberattack has as its main objective the technological supply chain, those companies that adapt Microsoft’s data storage services in the cloud so that they can be used by end consumers, be they commercial companies or academic organizations. In jargon, they are known as “resellers”. And this is one of the weakest points in the system. Although there are institutions like the CIA that rely on companies like Amazon for this type of maintenance of their data, when this technology is outsourced security can be seriously affected.
According to experts attending this week’s annual cybersecurity forum in Sea Island, Georgia, cited by The New York Times, the hackers, who worked from a large database of stolen passwords, this time employed “unsophisticated and easy to prevent” techniques.
US authorities had already assigned the SVR to spy on the networks of the Democratic National Committee, the governing party’s body, in the 2016 elections, in which Donald Trump was elected. In the case of SolarWinds, they managed to change the software of thousands of computers, exposing data from 18,000 users. This time, the number of affected terminals was smaller. Earlier, SVR hackers introduced their spies through software used by dozens of institutions, including the Treasury Department. All that was needed was for a user to routinely update this service, provided by the Texian company SolarWinds, for the system to be infected by virtual spies. The Kremlin has repeatedly denied its involvement in these attacks. US officials doubt Moscow’s willingness to contain them.
“We began looking at this latest campaign in May 2021 and we inform those who have been harmed and at the same time provide them with assistance,” wrote senior company executive Tom Burt in the aforementioned statement. “We are continuing to investigate, but so far we believe that at least 14 of these resellers and service providers have been compromised. Fortunately, we discovered this campaign in its early stages (…). These attacks are part of a broader action. Between July 1st and October 19th, we informed 609 customers who had been attacked 22,868 times by Nobelium, with a low success rate.”
Burt considers that “this recent activity is another indicator that Russia is trying to gain systematic and long-term access to the technology supply chain so that it can monitor, now or in the future, targets of interest” from the Kremlin. Microsoft promises that it will continue to work “with the private sector, with the US Government and with all other Governments interested in combating” these threats.
sign up on here to receive the daily newsletter of EL PAÍS Brasil: reports, analyses, exclusive interviews and the main information of the day in your e-mail, from Monday to Friday. sign up also to receive our weekly newsletter on Saturdays, with highlights of coverage for the week.