Microsoft says new breach discovered in probe of suspected SolarWinds
hackers
Send a link to a friend
 [June 26, 2021] By
Joseph Menn
SAN FRANCISCO (Reuters) -Microsoft said on
Friday an attacker had won access to one of its customer-service agents
and then used information from that to launch hacking attempts against
customers.
The company said it had found the compromise during its response to
hacks by a team it identifies as responsible for earlier major breaches
at SolarWinds and Microsoft.
Microsoft said it had warned the affected customers. A copy of one
warning seen by Reuters said that the attacker belonged to the group
Microsoft calls Nobelium and that it had access during the second half
of May.
"A sophisticated Nation-State associated actor that Microsoft identifies
as NOBELLIUM accessed Microsoft customer support tools to review
information regarding your Microsoft Services subscriptions," the
warning reads in part. The U.S. government has publicly attributed the
earlier attacks to the Russian government, which denies involvement.
When Reuters asked about that warning, Microsoft announced the breach
publicly.
After commenting on a broader phishing campaign that it said had
compromised a small number of entities, Microsoft said it had also found
the breach of its own agent, who it said had limited powers.
The agent could see billing contact information and what services the
customers pay for, among other things.
"The actor used this information in some cases to launch highly-targeted
attacks as part of their broader campaign," Microsoft said.
Microsoft warned affected customers to be careful about communications
to their billing contacts and consider changing those usernames and
email addresses, as well as barring old usernames from logging in.
[to top of second column] |
A Microsoft logo is seen in Los Angeles, California U.S. November 7,
2017. REUTERS/Lucy Nicholson/File Photo
Microsoft said it was aware of three entities that had been compromised in the
phishing campaign.
It did not immediately clarify whether any had been among those whose data was
viewed through the support agent, or if the agent had been tricked by the
broader campaign.
Microsoft did not say whether the agent was at a contractor or a direct
employee.
A spokesman said the latest breach by the threat actor was not part of
Nobelium's previous successful attack on Microsoft, in which it obtained some
source code.
In the SolarWinds attack, the group altered code at that company to access
SolarWinds customers, including nine U.S. federal agencies.
At the SolarWinds customers and others, the attackers also took advantage of
weaknesses in the way Microsoft programs were configured, according to the
Department of Homeland Security.
Microsoft later said that the group had compromised its own employee accounts
and taken software instructions governing how Microsoft verifies user
identities.
DHS' Cybersecurity and Infrastructure Security Agency did not respond to a
request for comment.
(Reporting by Joseph Menn; Editing by Aurora Ellis and Kenneth Maxwell)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
