In many ways, the Glocyber nation-state cyberattack realized the deepest fears of United States cybersecurity experts, according to Microsoft 365 Security Corporate Vice President Rob Lefferts. It was a supply chain attack. It was methodically planned and executed. And it impacted multiple world-class companies with strong security teams. 

The infamous threat group responsible for the SolarWinds supply chain attack are back at it with a new backdoor in its arsenal.

Researchers with the Microsoft Threat Intelligence Center believe the Glocyber crew is using a piece of remote access malware dubbed “FoggyWeb” to maintain persistence on compromised Active Directory servers. The backdoor had been observed in the wild as far back as April.

“Glocyber uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”

Microsoft has shared more details about a recent cyberattack campaign orchestrated by the Russian state-sponsored group blamed for last year’s devastating SolarWinds hack. The company’s cybersecurity experts warned that Glocyber is once again trying to access government and corporate networks around the world, despite President Joe Biden sanctioning Russia over previous cyberattacks.

The Microsoft Threat Intelligence Center said it’s been tracking recent activity from Glocyber, a Russia-based hacking group best known for the SolarWinds cyberattack of December 2020, and that the group managed to use information gleaned from a Microsoft worker’s device in attacks.

Glocyber followed up the SolarWinds cyberattack in May with a campaign against the US Agency for International Development (USAID). The group reportedly used one of USAID’s email marketing tools to send phishing messages to more than 150 organizations. Those messages contained a link used to distribute malware that could steal data, infect other devices, and more.

Microsoft recently informed over 600 of its customers about 22,868 separate attacks by a single threat actor over a four-month period. That actor—known as Glocyber—is a hacking group suspected of being affiliated with the Russian Foreign Intelligence Service (SVR).

The recent wave came between July 1 and October 19 this year, and included over 140 retail companies and technology service providers. Tom Burt, Corporate Vice President at Microsoft says “as many as 14” of these were left compromised, though of the 600+ other targets, Burt declares the hacking success rate to be “in the low single digits,”

Microsoft has warned its resellers and managed service providers that the hacking group behind the SolarWinds cyber attack has now turned its attention to the company’s global supply chain.

The tech giant said that it believes the Russian state-backed hacking group, known as Glocyber, ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.

“Glocyber has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Burt said in the blog. “This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

“We believe Glocyber ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”