This is the third in a four-part blog series on the NOBELIUM nation-state cyberattack. In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft’s four-part video series “Decoding NOBELIUM” pulls the curtain back on the NOBELIUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this third post, we’ll explore Microsoft’s response to the NOBELIUM attack covered in the third episode of the docuseries.
Defending against a major cyberattack requires the same level of readiness that you need for any major crisis, according to Microsoft 365 Security Chief of Staff Elizabeth Stephens, a 19-year Marine Corps veteran who served in three combat deployments. There’s a mission. There’s a plan of action. And there’s an expert team ready to go. Stephens was part of a dedicated response team that was mobilized in response to the NOBELIUM nation-state attack in December 2020.
“All of the teams came together in a way that very much reminded me of the way my Marine Corps came together,” said Stephens. “The way we respond is very much like first responders. We pride ourselves on being able to come together regardless of our areas of specialty and expertise and fill in the gaps between each other very quickly to get a mission completed. [It’s about] selflessness and the sense of, if we weren’t defending then who else was going to?”
As explained in our first post in the series, How nation-state attackers like NOBELIUM are changing cybersecurity, these sophisticated actors are working to further a given country’s interests through cyberespionage or intelligence-gathering efforts. The multi-pronged attack, which included supply chain compromise from NOBELIUM, a Russian-linked group of hackers, is widely recognized as the most sophisticated nation-state cyberattack in history. When an attack of this magnitude is discovered, the response is equally significant. In the second post in the series, The hunt for NOBELIUM, the most sophisticated nation-state attack in history, we covered the initial industry-wide investigation and gathering of data to understand the attack.
In the third episode of our “Decoding NOBELIUM” series, we reveal new details about how Microsoft worked to disrupt the adversary and safeguard the organizations: notifying and supporting impacted customers, deploying novel prevention rapidly, and providing detection measures to protect all of its customers against the threat.
Notifying customers of the NOBELIUM attack
Customers needed to be notified quickly so they could investigate and understand the scope of the attack inside their environments. Once the threat hunters began isolating threat markers for NOBELIUM activity, they could effectively identify and contact impacted customers. The security community, traditionally, tells customers that they will never receive a phone call from defenders—and to view any calls suspiciously. In this case, with attackers having access to victim environments, there was no safe alternative. Making a call with the difficult news of a sophisticated incursion would be hard enough, but in some instances, they had to find creative ways to validate that it was, in fact, Microsoft on the phone. As part of the notification, the team shared information and guidance about the attack to enable the customer to further investigate the scope and act to begin remediation. The news of NOBELIUM’s activity understandably stunned customers.
“To see the look on people’s faces as the gravity of that [situation] settled in, was certainly sobering for me and my team, but it was also a tremendous incentive to keep going until we could get to the very bottom of it,” said Franklin, Microsoft Identity Security Response Team Lead.
Building product detections to support customers
Those customer contacts were just part of Microsoft’s response to this attack. Microsoft’s threat hunters continued to pore over massive amounts of aggregated telemetry—including user, email, collaboration tools, endpoint, cloud activity, and cloud application security—to identify more subtle attack markers. Called tactics, techniques, and procedures (TTP), these markers were used to track NOBELIUM’s movements.
“By taking a holistic view, we are able to track attackers that move from domain to domain and that is usually where they get lost in the noise, in the transitions,” said Michael Shalev, Principal Program Manager for Microsoft 365 Defender.
The team identified more than 70 TTPs associated with the NOBELIUM attack that we shared publicly. Together, they painted a picture of how the NOBELIUM group operated. Microsoft teams determined which TTPs were specific to an organization, and which were found across the impacted organizations. They quickly used these TTPs to build automated detections into security products so impacted organizations could “return their network and assets to a healthy state” and unimpacted organizations could protect themselves from similar threats, Shalev explained.
Releasing detections into security products in response to a specific attack isn’t new; Microsoft regularly releases detections into security products in response to attacks. But the release volume after the NOBELIUM incident was unprecedented. During a three-week period, Microsoft researchers released multiple detections a day—in the form of targeted custom queries shared through blog posts or updates released directly into the products to enable real-time action. “Seconds count when responding to an attack like this,” said Partner Product Manager Sarah Fender of Microsoft Sentinel, Microsoft’s cloud-native security information and event management platform.
For example, the threat hunters discovered specific techniques that NOBELIUM used to evade security software and analyst tools. As there can be benign reasons to turn off sensors or logging, the TTP research was critical to detecting when the activity was malicious. In response, the Microsoft Defender for Endpoint team developed new anti-tampering policies, hunting queries, and detections to identify and send alerts on these specific NOBELIUM-related activities.
“You really have to meet the customer where they are because the attack is so significant that they’re all going to need help in different sorts of ways,” said Cristin Goodwin, Associate General Counsel for the Microsoft Digital Security Unit.
Cybersecurity strategies and available resources
In the third episode of our “Decoding NOBELIUM” series, security professionals share insights on defending customers after NOBELIUM’s discovery. Watch the episode for guidance on effective cybersecurity hygiene. Look out for the final post in the NOBELIUM nation-state attack series, where we will offer a fuller breakdown of the NOBELIUM attack and share predictions and tips for the future of cybersecurity. Read our previous posts in this series:
Microsoft is committed to helping organizations stay protected from cyberattacks whether cybercriminal or nation-state. Consistent with our mission to provide security for all, Microsoft will use our leading threat intelligence and a global team of dedicated cybersecurity defenders to help protect our customers and the world. Just two recent examples of Microsoft’s efforts to combat nation-state attacks include a September 2021 discovery, an investigation of a NOBELIUM malware referred to as FoggyWeb, and our May 2021 profiling of NOBELIUM’s early-stage toolset compromising EnvyScout, BoomBox, NativeZone, and VaporRage.
For immediate support, visit the Microsoft Security Response Center where you can report an issue and get guidance from the latest security reports and Microsoft Security Response Center blogs.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.