The hacking syndicate known as Nobelium— the group behind a large number of breaches in the U.S. government and private companies this year, including the notorious SolarWinds attack— has amplified attacks on tech companies in recent months, according to cyber security experts at Microsoft.
“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” states Tom Burt, Corporate Vice President, Customer Security & Trust of Microsoft, in a recent blog post.
Microsoft tracked a staggering rise in attacks from the group in only a few months. Before 1 July 2021, the company notified customers of attacks 20,500 times from “all nation-state actors” over the course of three years. In contrast, between 1 July 1 and 19 October of this year, it informed 609 customers that they had been attacked by Nobelium alone 22,868 times “with a success rate in the low single digits.”
According to Burt, Nobelium has focused its more recent efforts on hacking “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”
“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” he stated.
The hackers exploited their targets with common techniques such as password spraying and phishing, he added, which allowed them to gain privileged access after stealing legitimate credentials.
Universities Third-Most Vulnerable Sector for Cyber Attacks
As reported by Research Information, higher education institutions are the third most vulnerable sector to cyber attacks. This is largely because hackers are attracted to the copious research and personal data stored in university and library systems, according to the Scholarly Networks Security Initiative and the National Cyber Security Centre. One reason this data is so appealing is because much of it comes from non-public research. For example, hackers can break into these networks to look up information on drug trials, which they can use for insider trading. These networks can also contain information that hackers could use for government espionage.
The modern interconnectedness between universities, libraries, students, and faculty make them easy to break into. However, there are ways institutions can protect themselves. Alan Brill, senior managing director in the Cyber Risk practice of Kroll, told Research Information that these include:
- Protecting every level of the organization from cyber attacks— from campus bookstores to healthcare facilities and libraries
- Instructing libraries to work with IT departments to ensure that only those who are in the university’s network have access to the library’s resources
- Ensuring all faculty and staff are properly trained to prevent cyber attacks, instead of leaving cyber security in the hands of the IT department or risk management office
Is Your Institution Prepared to Handle Cyber Attacks?
Given the rising wave of cyber crime, it is more important than ever to safeguard your organization’s data. Is your workforce trained on the latest scenarios, threats, and tools for preventing and mitigating data breaches? If not, your data could be vulnerable.
Simulated Real-World Cyber Security Attacks
IEEE has partnered with ISACA to provide the cloud-based Cybersecurity Nexus (CSX) Training Platform to organizations. This unique training platform offers 24/7 access to over 100 hours of training, the CSX Cybersecurity Practitioner (CSX-P) certification, and the Cybersecurity Nexus (CSX) Skills Assessment Tool, including:
- instructional courses and hands-on labs in a sandboxed environment that safely replicates the real cyber-threatened world practitioners work in every day, enabling your team to build, practice and test
- technical skill sets for any level of experience, beginner to advanced
- enterprise dashboard to review team training performance with real-time progress tracking
- 300+ CPE skills-based credit hours that can be applied to the CSX-P and other certifications
Data Privacy By Design
In addition to protecting your own network, your organization needs to ensure that the products and systems it develops take data privacy into account. This means limiting the data they collect, determining how your organization retains and uses that data, and ensuring you are applying all relevant regulations— which can all help build consumer trust.
IEEE has partnered with the International Association of Privacy Professionals (IAPP) to provide the IEEE | IAPP Data Privacy Engineering Collection to organizations. This unique training is designed to further educate your technical professionals tasked with developing products so they understand, maintain, and protect data privacy throughout the R&D process. The program provides access to tools that allow your technical workforce to implement policies and processes for designing products that take ethical personal data use into consideration right from the start. Learners will understand how to:
- recognize the benefits and challenges of emerging technologies and how to use them while respecting customer privacy
- establish organizational privacy practices for data security and control
- learn practical knowledge and insights to address corporate privacy challenges
- leverage the knowledge gained to develop products that take data privacy into account
Contact an IEEE Account Specialist today to learn more about both products.
Burt, Tom. (24 October 2021). New activity from Russian actor Nobelium. Microsoft Blog.
Springer Nature. (13 August 2021). Why academic institutions are at risk of cyber attacks, and the library’s role in cyber security and risk assessment. Research Information.