Russian spies compromised 14 tech providers, aiming to ‘piggyback’ on customer access, Microsoft says

Investigators say they caught the apparent intelligence-gathering operation relatively early.
Russia flag
Police officers patrol the central Manezhnaya Square in Moscow. (Sergei Supinsky/AFP via Getty Images)

Suspected Russian spies who exploited a federal contractor to breach nine U.S. government agencies last year have continued targeting technology supply chains, aiming to compromise 140 technology service providers in recent months, according to Microsoft.

The Russian nation-state hacking group Nobelium — also known as Cozy Bear — has since May 2021 sought to infiltrate technology resellers, cloud software companies and managed services providers in an attempt to “piggyback” on those firms’ access to other customers, Tom Burt, corporate vice president of customer security and trust, said in an Oct. 24 advisory. The group’s goal, Burt suggested, is to more effectively impersonate an organization in order to breach its clients and partners, a similar tactic that the spies used when they breached U.S. agencies in 2020 by masquerading as SolarWinds.

“We continue to investigate, but to date we believe as many as 14 of these resellers and service providers have been compromised,” Burt said. “Fortunately, we have discovered this campaign during its early stages, and we are sharing these developments to help cloud service resellers, technology providers and their customers take timely steps to help ensure Nobelium is not more successful.”

Investigators did not identify the targeted organizations by name, or suggest whether attackers appeared to be carrying out the campaign with an ultimate goal.


The 2020 SolarWinds breach, in which attackers infected U.S. networks by spreading malware in what appeared to be a software update from the tech firm, granted intruders access to a range of sensitive information. A hack at the Justice Department, for instance, resulted in the compromise of email inboxes belonging to potentially thousands of employees. Attackers also breached the Treasury Department, accessing information about U.S. sanctions policy toward Russian individuals.

The latest apparent intelligence-gathering operation represents one facet of how the Russian group has been more active in recent months. Microsoft said it informed 609 customers they had been targeted on 22,868 occasions “with a success rate in the low single digits.” In the three years prior to July 1, 2021, Microsoft notified customers about 20,500 hacking attempts from all nation-state groups combined.

“The recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling — now or in the future — targets of interest to the Russian government,” the Microsoft advisory stated.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts