"Nobelium Attackers Compromised Microsoft Customer Support Agent"

The attackers behind the SolarWinds hack carried out another malicious campaign against government agencies and IT companies. They compromised a machine belonging to a Microsoft customer support agent who had access to customer data. The attack campaign targeted companies in 36 countries, with nearly half of the impacted companies being in the U.S. Customers whose accounts were affected by the compromise of the agent's machine have received a warning from Microsoft. According to Microsoft, the campaign was a phishing attack that performed password spraying to access accounts. Microsoft's Threat Intelligence Center said that most of the targets were not successfully compromised. Microsoft discovered the compromise of its customer service agent during the investigation of activity by the threat group Nobelium. This group has been found to be affiliated with the Russian SVR and is also referred to as APT29.  The U.S. government has attributed the compromise of SolarWinds and many of its customers to Nobelium. Microsoft has not specified where the compromised customer service agent was located or whether the agent is a company employee or a contractor. The investigation also led to the detection of information-stealing malware on a customer support agent's machine that has access to account information for some of Microsoft's customers. In some cases, the threat actor used this information to launch highly targeted attacks as part of the broader campaign. This article continues to discuss the tactics used by Nobelium attackers in a recent campaign against government agencies and IT companies.

Decipher reports "Nobelium Attackers Compromised Microsoft Customer Support Agent"