As hackers sharpen their virtual tools to gain access to networks and systems, it’s clear that attacks are coming from every angle—and inching closer to the systems integration business.
Cyber vulnerabilities continue to escalate across IT, physical security, operational technology, automation, controls and the internet of things. Attackers have turned their sights to software or the cloud services systems integrators may be leveraging. Bad actors are gaining access to customer data and sites by using tools available from the internet, as well as sophisticated software and devices directed at increasingly connected systems.
The SolarWinds attack was one of the first breaches that brought a managed service provider (MSP) into the fold. SolarWinds, an MSP that develops platforms for managing networks, systems and IT infrastructures, uncovered vulnerabilities in its software that enabled the breach and compromise to customer data, including client Microsoft and various government agencies. Hackers breached the SolarWinds software development infrastructure and placed malware into a patch update.
Recently, Microsoft revealed that the same Russian-backed hackers responsible for the SolarWinds breach have continued their onslaught, targeting cloud service companies and others since this summer. The group, referred to as Nobelium, focuses on companies that resell or manage cloud-computing services, using these vectors as springboards for bigger attacks.
IT supply chain at risk
According to a report published by the Microsoft Threat Intelligence Center (MSTIC) and a blog by Tom Burt, Microsoft’s corporate vice president of customer security and trust, Nobelium has been targeting organizations critical to the global IT supply chain.
“This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers,” Burt wrote. “We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers. Since May, we have notified more than 140 resellers and technology service providers that have been targeted by Nobelium.”
This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling—now or in the future—targets of interest. Most often, according to Burt, these malicious actors are using password spray and phishing attempts to steal credentials and gain privileged access.
Moving into the pipeline
In these supply chain attacks, downstream customers of service providers and other organizations are also being targeted by Nobelium, according to MSTIC.
“In these provider/customer relationships, customers delegate administrative rights to the provider that enable the provider to manage the customer’s tenants as if they were an administrator within the customer’s organization. By stealing credentials and compromising accounts at the service provider level, Nobelium can take advantage of several potential vectors, including but not limited to delegated administrative privileges, and then leverage that access to extend downstream attacks through trusted channels like externally facing VPNs or unique provider-customer solutions that enable network access,” according to MSTIC.
Supply chain attacks allow hackers to gain information from multiple targets by breaking into a product they leverage. For systems integrators, it’s important to ask vendors about the cybersecurity controls they have in place. In the future, you may also be asked to complete assessments about your company and its processes and protocols in implementing cybersecurity best practices. These new requirements, as well as questionnaires, supporting documents and cybersecurity insurance, may soon become a necessary adjunct to the systems integrator’s business.