Alleged Russian Hacks of Microsoft Service Providers Highlight Cybersecurity Deficiencies
Cybersecurity experts say Microsoft’s recent disclosure that alleged Russian hackers successfully attacked several IT service providers this year is a sign that many U.S. IT companies have underinvested in security measures needed to protect themselves and their customers from intrusions.
But a U.S.-based association of IT professionals says the industry’s efforts to combat foreign hacking attacks are hampered by their customers not practicing good cyber habits and by the federal government not doing enough to punish and deter the hackers.
In an October 24 blog post, Microsoft said a Russian nation-state hacking group that it calls Nobelium spent three months attacking companies that resell, customize and manage Microsoft cloud services and other digital technologies for public and private customers. Microsoft said it informed 609 of those companies, known as managed service providers, or MSPs, that they had been attacked 22,868 times by Nobelium from July 1 to October 19 this year.
As of its October 24 blog post, Microsoft said it determined that “as many as 14” of the resellers and service providers had been compromised in the Nobelium attacks, which it said involved the use of “well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access.”
Nobelium is the same group that Microsoft said was responsible for last year’s cyberattack on U.S. software company SolarWinds. That attack involved inserting malicious code into SolarWinds’ IT performance monitoring system, Orion, and gave the hackers access to the networks of thousands of U.S. public and private organizations that use Orion to manage their IT resources.
The White House said in April that it believed the perpetrators of the SolarWinds hack were part of the Russian foreign intelligence service, or SVR.
In an October 29 statement published by Russian network RBC TV, Russia’s foreign ministry dismissed as “groundless” Microsoft’s accusation that SVR was behind the recent cyberattacks on IT companies. It also said Microsoft should have shared data on the attacks with the Russian government’s National Coordination Center for Computer Incidents to aid a “professional and effective dialogue to … identify those involved.”
VOA asked Microsoft whether the company had communicated with Moscow regarding the latest hacking incidents, but Microsoft declined to comment.
It also has not disclosed the names or locations of any of the targeted or compromised IT companies.
Charles Weaver, chief executive of the U.S.-based International Association of Cloud and Managed Service Providers, also known as MSPAlliance, told VOA that he had not heard of any of his organization’s members being affected by the latest Nobelium attacks.
MSPAlliance describes itself as the world’s largest industry group for people who manage hardware, software and cloud computing services for customers. It says it has more than 30,000 members worldwide, about two-thirds of them based in North America.
The apparently successful cyberattacks on Microsoft-linked IT companies are a sign that U.S. MSPs are not putting enough priority on cybersecurity, said Jake Williams, a chief technology officer at U.S. cybersecurity company BreachQuest and a former U.S. National Security Agency elite hacking team member.
“The profit margins for MSPs are often razor-thin, and in the majority of cases, they compete purely on cost,” Williams told VOA in an interview. “Any work they do that doesn’t directly translate to additional revenue is generally not happening.”
One cybersecurity practice that more MSPs should adopt is the sharing of information with U.S. authorities about hacking incidents, said James Curtis, a cybersecurity program director at Webster University in Missouri, in a conversation with VOA’s Russian Service.
Curtis, a retired U.S. Air Force cyber officer and a former IT industry executive, said MSPs do not like to admit they have been hacked.
“They don’t want to share that their users’ information has been stolen, because it may hurt their bottom line and may hurt their stock prices, and so they try to handle that internally,” he said.
“The MSP community is not perfect,” Weaver said. “Our members face a lot of cyberattacks and their job is to protect their customers against these things. For 21 years, MSPAlliance has strived to promote best practices for our global community, and we will continue to incrementally improve as fast and as often as we can.”
But Weaver said criticism of MSPs for not devoting enough attention to cybersecurity is misplaced.
“MSPs have been urging their customers to make easy and inexpensive fixes such as adopting multifactor authentication to back up their data to the cloud,” Weaver said. “But I personally have witnessed a lot of nonconformity amongst the customers. They have to be the ones that ultimately pay for and allow MSPs to deploy those fixes.”
The Biden administration also has used a variety of tools this year to try to protect U.S. targets from Russian and other foreign hackers. In May, President Joe Biden issued an executive order for U.S. authorities to tighten cybersecurity contractual requirements for IT companies that work with the federal government. The order said the companies should be required to share more information with federal agencies about cyber incidents impacting the IT services provided to those agencies.
In an earlier action in April, the Biden administration sanctioned six Russian technology companies for providing support to what it called malicious cyber activities of Russia’s intelligence services.
Senior U.S. officials also have used diplomacy to try to expand international participation in a Counter-Ransomware Initiative (CRI). A U.S. National Security Council statement issued Wednesday said deputy national security adviser Anne Neuberger briefed representatives of 35 countries Tuesday on the outcome of last month’s first CRI meeting of experts from law enforcement, cybersecurity, financial regulators and foreign affairs ministries.
Chris Morgan, an intelligence analyst at Britain-based cybersecurity company Digital Shadows, told VOA the stronger cybersecurity practices mandated by the U.S. government for federal contractors will not necessarily be voluntarily adopted by IT companies working in the private sector. One such mandated practice is for federal contractors to adopt a “zero-trust” security model, in which users who log in to a network are not automatically trusted to do whatever they like within that network but must instead undergo continual authentication.
Larger government role
“Implementing zero-trust is a real change in the way that your network is managed and comes with significant costs. I think that’s the reason why a lot of companies are quite hesitant to do so,” Morgan said. “I think a lot of people would like the U.S. government to take a more active role in combating cybercrime [through promoting measures like zero-trust].”
Weaver, of MSPAlliance, said applying federal cybersecurity regulations to the entire private sector is not a good idea because different industries, such as banking, health care and energy, have different IT needs.
He also said the U.S. government could effectively curb ransomware attacks by doing more to hold the perpetrators accountable.
“Cyberattacks are a big business, yet the hackers are in countries beyond the reach of our law enforcement,” Weaver said. “So you have a business model that has no disincentive to stop. And all we have are the IT guardians against those attacks. I just don’t think that putting regulations on the guardians is going to solve this.”