More Russian SVR Supply-Chain Attacks

Microsoft is reporting that the same attacker that was behind the SolarWinds breach — the Russian SVR, which Microsoft is calling Nobelium — is continuing with similar supply-chain attacks:

Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers. We began observing this latest campaign in May 2021 and have been notifying impacted partners and customers while also developing new technical assistance and guidance for the reseller community. Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium. We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised. Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers, and their customers take timely steps to help ensure Nobelium is not more successful.

Posted on October 28, 2021 at 6:12 AM15 Comments

Comments

David Rudling October 28, 2021 8:11 AM

Interesting but the main SVR attack will be against the supply chain for AWS because of its government client base.

Someone October 28, 2021 9:11 AM

@DAVID RUDLING.

Not true. US gov has is very big user of Azure, including a region ofAzure just for DoD.

Ted October 28, 2021 9:33 AM

The following comment is on YCombinator:

“The Darknet Diaries podcast just released an episode on a similar attack (via MSP) if you’re interested in hearing what this looks like from a remidiation standpoint”

hxxtps://news.ycombinator.com/item?id=29013687

Clive Robinson October 28, 2021 10:02 AM

@ ALL,

From the article,

“used in past attacks by targeting organizations integral to the global IT supply chain. This time, it is attacking a different part of the supply chain

It’s not just the “IT” supply chain, where this is going to happen it’s all supply chains.

This is not a matter of opinion, but “the down hill sloop” of atleast twenty years of managment stupidity based on “The Chicago School” of economics promalgated by neo-cons and others. It is best expressed by the mantra taught to economic and MBA students, that “to be competitive, you have to optomise…” which gets wrapped into “Never leave money on the table/floor”.

Nature has over more millennia than can be counted, developed a survival stratagy for living entities. Some call it the 2/3rds or 66% of capacity stratagy. What it means is that if you optomize beyond that point your entity is over the resiliance peak and on the fast downhill slope to otherwise avoidable disaster. Worse once over that peak a few more % and you reach a “tipping point” where the entity can not pull back by it’s self.

Thus the entity becaomes under the control of capricious others and a hostile environment.

This is good for those neo-cons who then use it as leverage in hostile take overs and the inevitable destruction which ends up with the loss to society of inovation, choice, jobs and much much more besides. Such thinking “hollows out society” and in turn it becomes brittle and subject to the capricious whims of neo-cons and worse.

I and others have been pointing out the dangers for years, one of which is society as we know it will cease to be, and the result will be a new feudal system in which you will have a closed aristocracy that own, and the ordinary citizen will be reduced via rent seeking behaviours into a serfdom worse than slavery.

I’m sorry if others don’t want to think it through, but not taking responsability is a major failing in modern times.

Criminals steal where they can, if you do not take responsability to take reasonable deterents you will at some point get robbed it’s just a matter of probability in a “target rich environment”. At that point you will discover that nobody is there to help you, not the police, not the government or any others you pay taxes towards.

Ask yourself what the two most precious things are that you own?

You will find on the top of the list,

1, Your life,
2, Your freedom,

For several centuries people who make up society have fought for those, are you going to let others steal them away from you?

Well it’s your responsability to take reasonable steps so they do not.

Long supply chains that have been paired to the bone, are brittle beyond most peoples understanding. The sheer numbers of brittle supply chains in all parts of the economy thus society in general is stagering. We look back on the “Toilet roll crisis” and many delude themselves and find it ammusing or blaim horders or prepers or to be blunt, those who think faster and act rather than wallow in complacency which most of society actually does these days. Well toilet rolls, fuel and other “que for it” items are just the equivalent of those tiny tiny bubbles that appear at the side of a cooking pot at the heat is turned up and things come to a boil, if not boil over causing significant harm.

Look at what the wealthy and neo-cons have been doing, they have seen the consequence of what brittle supply chains mean. They have taken some of that and put it towards surviving what they can see will come from their actions. Thus you have the Corporate Billionaires building survival shelters stocked with atleast five years of food and potable water, fuel and similar, ask yourself why they feel the need to take the responsability of taking for themselves and their loved ones what they view as “reasonable action” to mitigate an uncertain future that they see as being close enough to warrent attention now.

Remember this behaviour is far from new history shows it happening over and over. Which is why some religions require their followers to put by not just a year of supplies for their family, but their neighbours as well.

You go back a couple of thousand years or more, where sensible heads of state put by four years of grain and similar, knowing that fat times are followed by lean and starving people are not just desperate but easily become the worst that humanity can be.

Jeff October 28, 2021 10:12 AM

Given the prevalence of FOSS in infrastructure (both AWS and Azure are heavy users of GNU/Linux, for example), I’m surprised that there haven’t been more reports of successful infiltration/modification of such software. We know, for example, that OpenBSD was warned of a backdoor inserted into their code (which they deny), and Linus Torvalds famously answered the question of whether he’d been approached to backdoor the Linux kernel by answering “No” while nodding his head.

Clive Robinson October 28, 2021 12:09 PM

@ Jeff,

We know, for example, that OpenBSD was warned of a backdoor inserted into their code (which they deny)

Err no, it’s more interesting than that.

Briefly,

1) A person in private communications to one of the core BSD developers aluded to the fact that a backdoor had been put in the network code by another person.

2) The core developer almost immediately made it public.

3) Lots of experienced eyes looked but nothing at the code or implemented protocol level was found that could be claimed was a backdoor.

Some time after that it became abundantly clear the NSA did put backdoors in “code”, “protocols”, “Standards” and by “managment(RSA)” and “interception(CISCO kit)” and possibly by suborning(Jupiter Networks). So any which way they can, which was absolutly no surprise to me as I’d long predicted they targeted,

1, Implementations,
2, Protocols,
3, Standards,

And I had presented reasoning they had actually “backdoored” the NIST AES contest.

Eventually Niels Ferguson –who our host @Brucehas worked with–, whilst working at Microsoft, got deeply suspicious about certain things. He started to go public with his suspicions and later showed the likely hood that the NSA had backdoored the NIST standard via a Digital RNG was probable. This backdoored DRBG was “mandated for US Government US” in generating amoungst other things “Roots of Trust”(RoT). Further somehow still not publically known backdoored the DRBG appeared in Jupiter Networks equipment that generated network encryption keys…

Whilst nobody has been able to point a finger at the BSD code, nor can anyone currently say it is not backdoored by some trick not yet identified… Which is a bit of a quandary, should you trust when you can not verify?, me I just mitigate where I can.

However when it comes to pointing fingers at backdooring codes, protocols in products, etc there are lots and lots of fingers pointing Microsoft’s way especially recently… Some would say that MSFT don’t want to be the “how not to” poster child, especially with Win 11 flapping badly in the wings.

So who gets to decide who is right and who is wrong in a finger pointing game?

Well some say the majority vote (and MSFT has that by the bucket full). Me I’m of the “Court Standard Evidence” for blaim, “meer whispers of impropriety” for mitigation[1] view.

So yes I have two standards and they are more than a few “country miles” appart. Because as I know from experience,

“Atribution is hard very hard, but false flag Ops and rumours are easy”.

[1] My over caution on what might be rumours, comes about from personally backdooring crypto code. It’s quite some years ago as I’ve previously mentioned and actually was way to easy to do. No the backdoor did not go out in shipped product, but it did get right through the “code review and test phases” and was at the point it was packaged to be “code signed”. My reason for doing so was to demonstrate the fundemental failing of the QA process and in specific the “code review” process. The organisation concerned had a managment ethos that the best programers produced product, those that did the code reviews were frequently not even past programers… Unfortunatly this “the best create the worst review” ethos is all to common in the consumer and much commercial software production organisations. Clearly it fails, and fails badly, however on ISO9000 and similar paperwork it looks good…

The moral,

“Trust ye not, what ye nor others can expressly verify, so cast not stones but mitigate accordingly”.

Tom Rollins October 28, 2021 12:59 PM

Excellent. If you American butchers don’t want to get your just desserts, don’t murder millions around the world.

echo October 28, 2021 1:43 PM

I’m more concerned about US far right billionaire sourced dark money hiding behind front organisations and money laundering flooding Europe but that’s just me. It’s all been traced back to the source and names named not that you would read about it in the mainstream media. Attribution is difficult? Not when they brag about it.

There’s been an interesting choice of ransomware victims lately. Sinclair Media? Maybe ransomware hackers with a social conscience?

Yes protocols and networks are backdoored but the ones which get my attention are the ones related to human rights and governance not technology. As for the police and government not being there to help you to a large degree in the UK at least they are the problem. As for standards reviews of “bad actors” I can say with absolute certainty they are not up to scratch. As for whistleblowing one of of the reasons why I am planning for taking “exceptional measures” is the whistleblowing angle. I have been directly to my face threatened over this and criminal and other measures do apply and the police looked the other way. It didn’t even get as far as being “no crimed”. It never made the official record.

I differ from Clive in his application of blame on court standards versus mitigate on the rumour. The reason is it depends on history and context, and what indicators exist and who is the source. Sometimes it depends. Sometimes the threat is coming from elsewhere. Technology is fairly cut and dried. People are a bit more messy.

As for OpenBSD if there is a backdoor in there I suggest stop treating it as technology as this encourages linear thinking. Treat it more like an exercise in sociology or people. You have to be alert to being lied to, misinformed, shuffled about, invisible doors going clang to create rachet effects, broken contracts and people going behind your back, and data being deleted. It’s very rarely any single thing and not always something which appears bad until later. To the unknowing eye it may appear benign but to the expert eye who sees beyond the surface a vortex of horror.

Ted October 28, 2021 5:35 PM

Weirdly two of the groups associated with SVR’s APT29 group are named after elements: NOBELIUM and YTTRIUM.

The element Nobelium was first produced in 1956, at the Joint Institute for Nuclear Research at Dubna, then in the USSR. However it was named after the place where it was thought that it had been discovered – Sweden and their Alfred Nobel. Nobelium is a radioactive metal whose half life is only 58 minutes.

The element Yttrium was actually first isolated in Sweden and is named for the Swedish village of Ytterby.

I am no expert in deciphering the names of threat actor groups, nonetheless they are curious choices.

MITRE’s list of associated APT29 groups:
hxxps://attack.mitre.org/groups/G0016/

If I’m wrong about any of this, feel free to correct me.

L Segundo October 28, 2021 6:50 PM

All these recent public claims that one or any other particular nation caused any particular hack or malware attack is not likely;

There has been no full substantiation of claims; no evidence; no proof;

This is all just “heresay”, gossip.

If the accused nations were individual people within the USA, they would be able to sue in response, with a likelihood of winning;

To continue the metaphor, the accusations might fall under the legal categories of libel and slander and defamation.

Without any hard proof of wrongdoing, it’s just gossip or propaganda, maybe both.

Is it really a good idea to follow the news straight into WWW III types of zeitgeist ?

thanks(?)

Jesse Thompson October 29, 2021 5:10 PM

@Jeff @Clive Robinson @echo @Bruce

Re: OpenBSD vulnerability, I am curious what your takes might be on the possibility for a codebase (especially an operating system and hardware drivers) to be created which can be shown via strict mathematical proof to work a certain way? ML is a language frequently used to create such algorithms, that can apparently be bug free at the software level.

Obviously as Clive has mentioned many times technology is a stack all the way from software down to flowing electrons. And echo would probably say that the stack continues upwards through sociology and politics (social engineering attacks being but one clear exploit), and that exploit anywhere on that ladder may invalidate the quality of security on any one given rung. But would mathematical certainty on a rung where such is available be useful as a part of any larger strategy? Or is that building a wall taller than needed for one meter when you can’t prevent it being virtually absent for the next meter?

echo October 31, 2021 12:58 PM

Obviously as Clive has mentioned many times technology is a stack all the way from software down to flowing electrons. And echo would probably say that the stack continues upwards through sociology and politics (social engineering attacks being but one clear exploit)

Yes it does. You can see the same phenomena in computer interface design and movie making. “Back in the day” I had asmall influence with these topics before UX was a thing and the movie industry re-discoverd “practicals”. I’m not claiming to be the only person with thoughts in this area but was one of the first to say it publicly.

It is correct to include the viewer or user as part of a bigger domain because they have a behaviour and interaction and memory of their own as well as feedback loops. Where both industries get it wrong is where they over emphasise this especially when in an unskillful way. For UX they can throw the baby out of the bathwater and design becomes too subjective mostly orientating around shallow experience or the subjective view of the designer. In movies you get lots of reactive tilts such as a preoccupation with horror (which the US has a problem with) or movies which have unresolved endings as they have embraced a clunky idea of what they believe “art” to be. If you take a step back you can see that careerism and fashion become the tail wagging the dog.

I’m rather irritated the phantom deleter got to my comment about intelligence reports being written in clipped formal tones while the none technology and “hard data” aspects of analysis reports and the vacuum when it came to matters considered more “political” wasn’t given eually serious treatment. I was mocking, I admit, and sticking pins in balloons but there is an over-reliance on “authorities” and formalities in some quarters. The reason why I object is this is a subtle framing.

ResearcherZero November 1, 2021 1:43 PM

@L Segundo

Yes.

There is a lot of money in nuclear weapons.

“proposed Fiscal Year (FY) 2021 budget request of $740.5 billion for national security, $705.4 billion of which is for the Department of Defense (DoD).”

There is some details of the expenditure for HGV and other assets on a yearly basis.

hxxps://www.defense.gov/News/Releases/Release/Article/2079489/dod-releases-fiscal-year-2021-budget-proposal/

Total budgeted and proposed spending over time is rather large, there are many manufacturers lobbying for this spending, and they all want a piece of the pie.

hxxps://missiledefenseadvocacy.org/missile-threat-and-proliferation/missile-basics/hypersonic-missiles/

Adversaries then hack into manufacturers or contractors and exfiltrate the weapon designs, sometimes also using other methods, hence requiring yet more spending to stay ahead of the weapons development curve.

“The ministry suspects the information might have been stolen from documents sent from several defense equipment makers as part of a bidding process for the project, Mitsubishi Electric did not win the bid, Japanese media reports said.”

hxxps://apnews.com/article/2e85904379adc4fa30ebc6aba3eb4d55

ResearcherZero November 1, 2021 1:54 PM

There is a lot of money in nuclear propulsion for submarines. They also recycle warheads to power subs.

“Authorities have charged that both Toebbes are flight risks. The criminal complaint filed against them cites an email allegedly written by Jonathan Toebbe, which says they had stashed passports and cash in case they needed to flee.”

hxxps://www.washingtonpost.com/national-security/navy-nuclear-engineer-and-his-wife-charged-with-trying-to-share-submarine-secrets-with-a-foreign-country/2021/10/10/c461aff2-29d9-11ec-baf4-d7a4e075eb90_story.html

“The court papers note that Toebbe, who was on active duty in the Navy until 2017, had worked on nuclear propulsion for submarines, a technology that the United States recently agreed to provide to Australia.”

hxxps://www.washingtonpost.com/national-security/toebbe-navy-spy-hearing/2021/10/12/523ca802-2b62-11ec-baf4-d7a4e075eb90_story.html

ResearcherZero November 1, 2021 2:09 PM

There are some security improvements for 5G, although they are switched off by default, providers and contractors can enable these new features as required.
However there are still some problems to address to help prevent future supply chain attacks, and old problems (like bribing contractors and technicians for access) will still exist.

“5G networks will be largely based on software, major security flaws, such as those deriving from poor software development processes within equipment suppliers, could make it easier for actors to maliciously insert intentional backdoors into products and make them also harder to detect.”

“Lawful interception functions enabling authorised public authorities to gain access to networks will also become software-based. Such processes, if not properly managed, could be misused for malicious actions.”

“With the introduction of 5G networks, complex technical solutions will require additional support from different types of suppliers, which will be provided both onsite and via remote access. If suppliers have access to the network, it is possible for them to manipulate certain functionalities, e.g. the lawful intercept functionality, or to intercept and/or reroute data traffic, and to bypass audit mechanisms in a way that is not easy to detect for the operator.”

hxxps://ec.europa.eu/newsroom/dae/document.cfm?doc_id=62132

There should be quite a bit of employment in cloud security, and plenty of opportunities if you have the skills required.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.