Microsoft says the cybercriminals behind the SolarWinds attack compromised a Microsoft customer service agent’s device to launch hacking attempts against its customers.
The agent’s device had access to Microsoft’s customer support tools and basic account information for a “small number of our customers,” which the hacker exploited to launch “highly-targeted attacks as part of a broader campaign,” the company said in a blog post Friday. Microsoft said it’s aware of three entities that were compromised in this phishing campaign, though it didn’t identify the victims. It said it has since removed the attacker’s access, secured the compromised device, and begun the process of alerting all affected customers through its nation-state notification process.
Microsoft’s Threat Intelligence Center attributed the attacks to Nobelium, the group of state-sponsored Russian hackers that wormed their way into the networks of major federal agencies, IT companies, and other entities around the world via compromised software from the Texas-based company, SolarWinds. In a statement to Reuters, Microsoft clarified that this latest attack is unrelated to Nobelium’s previous successful attack on the company, in which the group made off with some source code. A SolarWinds spokesperson echoed this in a statement to Gizmodo, saying: “The latest cyberattack reported by Microsoft does not involve our company or our customers in any way.”
The agent at the center of the phishing campaign, Microsoft told Reuters, had access to billing contact information and what services the customers pay for, among other data. The company did not say whether the agent was a contractor or a direct employee of Microsoft. Nobelium had access to the agent’s device during the second half of May, according to a warning notice to affected Microsoft customers reviewed by Reuters.
In the warning, Microsoft told customers to be cautious when communicating with billing contacts and to consider changing their usernames and email addresses, the outlet reports. Microsoft also encouraged users on Friday to employ security best practices such as multi-factor authentication and zero-trust architecture, a security model that treats all users as potential threats until their identities can be properly authenticated. Moreover, Windows 11, which is scheduled to roll out later this year, will require a specific security feature called a TPM, or trusted platform module, on existing and new devices in order to upgrade.
Update: 6/26/2021, 1:08 p.m. ET: Added clarification from SolarWinds spokesperson.