The Nobelium group, linked to Russia’s spy agency, is looking to use resellers as a path to infiltrate their valuable downstream customers – and it’s working.
The SolarWinds attackers – an advanced persistent threat (APT) known as Nobelium – have started a new wave of supply-chain intrusions, this time using the technology reseller/service provider community to attack their targets.
The activity has affected victims in North America and Europe thus far, researchers said, and the goal is espionage: Nobelium has been linked to the Russian government’s foreign intelligence service, known as SVR.
According to an analysis from Mandiant and Microsoft, Nobelium isn’t exploiting a vulnerability or, as was the case with SolarWinds, trojanizing legitimate code. Instead, it’s infiltrating reseller networks using tried-and-true tactics like credential-stuffing and phishing, as well as API abuse and token theft, in order to gather legitimate account credentials and privileged access to reseller networks.
From there, Nobelium attempts to pivot and land inside the networks of reseller customers downstream. Once inside a reseller network, it becomes much easier to impersonate the company and exploit the trusted relationship that reseller has with its customers, researchers pointed out.
“Mandiant has investigated multiple intrusions in