Nobelium hackers continue to attack Microsoft customers, Trojan on support computers

Sicherheit (Pexels, allgemeine Nutzung)[German]The activities of the suspected Russian Nobelium group continue. Microsoft has uncovered three successful hacks of customers and informed them. In addition, a Trojan was found on a Microsoft supporter's computer. This was able to pass on information about customers to the hackers.


Nobelium is Microsoft's name for a state-sponsored hacking group that is believed to operate out of Russia and is responsible for the SolarWinds attacks. Microsoft's Threat Intelligence Center has tracked new activity from the threat actor Nobelium. Its security monitoring tools have detected password spray and brute force attacks. As a result, Microsoft has published some findings in this blog post to help customers and communities protect themselves. 

Three victims found

According to Microsoft, the hacker group's recent activities have been mostly unsuccessful, and most targets have not been successfully compromised. Microsoft is aware of three compromised facilities so far. All customers who were compromised or attacked were contacted by Microsoft.

This type of activity is not new and targeted specific customers. Primarily IT companies (57%), followed by government agencies (20%), and smaller shares for non-governmental organizations and think tanks, as well as financial services.  Most of the activity focused on U.S. interests, about 45%, followed by 10% in the U.K. and smaller numbers from Germany and Canada.  In total, 36 countries were targeted.

Trojan  found on system

During the analysis of an ongoing activity, Microsoft security researchers also discovered a Trojan on a computer belonging to one of the customer support employees. Through the computer, the employee had access to basic account information for a small number of Microsoft customers.

The threat actor used this information in some cases to launch highly targeted attacks as part of its broad campaign. Microsoft says it responded quickly. They removed access and secured the device. The investigation is ongoing, but Microsoft confirms that Microsoft support agents are configured with the minimal permissions required under Microsoft's Zero Trust approach for "least privileged access" to customer information. We are notifying all affected customers and assisting them in keeping their accounts secure.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *