Cyber ââsecurity experts say Microsoft’s recent disclosure that suspected Russian hackers successfully attacked multiple IT service providers this year is a sign that many US IT companies have underinvested in the security measures needed to protect themselves. protect and protect their customers against intrusions.
But a U.S. association of IT professionals says industry efforts to tackle overseas hacking attacks are hampered by their customers not practicing good cybersecurity habits and the federal government is not doing enough to punish and deter hackers.
In a October 24 blog post, Microsoft has said that a Russian nation-state hacking group it calls Nobelium has spent three months attacking companies that resell, customize and manage Microsoft’s cloud services and other digital technologies for customers. public and private. Microsoft said it informed 609 of these companies, known as Managed Service Providers, or MSPs, that they were attacked 22,868 times by Nobelium from July 1 to October 19 of this year.
In its October 24 blog post, Microsoft said it determined that “as many as 14” resellers and service providers were compromised in the Nobelium attacks, which it said involved the use of “well-known techniques, such as password spraying and phishing, to steal legitimate credentials and gain privileged access.
Nobelium is the same group that Microsoft said was responsible for last year’s cyberattack on US software company SolarWinds. This attack involved the insertion of malicious code into the computer performance monitoring system of SolarWinds, Orion, and gave hackers access to networks thousands of US public and private organizations that use Orion to manage their IT resources.
The The White House said in April that he believed the perpetrators of the SolarWinds hack were part of the Russian Foreign Intelligence Service, or SVR.
In a October 29 statement Published by the Russian network RBC TV, the Russian Foreign Ministry dismissed Microsoft’s accusation that SVR was behind the recent cyberattacks against IT companies as “baseless”. He also said Microsoft should have shared attack data with the Russian government’s National Computer Incident Coordination Center to facilitate “professional and effective dialogue to … identify those involved.”
VOA asked Microsoft if the company had contacted Moscow regarding the latest hacking incidents, but Microsoft declined to comment.
He also did not disclose the names or locations of any of the targeted or compromised IT companies.
Charles Weaver, chief executive of the United States-based International Association of Cloud and Managed Service Providers, also known as MSPAlliance, told VOA he had not heard from any of his members. organization affected by the latest Nobelium attacks.
MSPAlliance describes itself as the world’s largest industry group for people who manage hardware, software, and cloud computing services for customers. It claims to have more than 30,000 members worldwide, of which about two-thirds are based in North America.
The seemingly successful cyber attacks against Microsoft-linked IT companies are a sign that US MSPs are not prioritizing cybersecurity enough, said Jake Williams, chief technology officer at US cybersecurity firm BreachQuest and a former member of the elite United States National Security Agency hacking team.
âThe profit margins of MSPs are often very slim, and in the majority of cases, they compete only on the cost side,â Williams told VOA in an interview. âAny work they do that doesn’t directly translate into additional income usually doesn’t happen. “
One cybersecurity practice that more MSPs should embrace is sharing information with U.S. authorities about hacking incidents, said James Curtis, director of the cybersecurity program at Webster University in Missouri, in a conversation with the Russian service of VOA.
Curtis, a retired US Air Force cyber officer and former IT industry executive, said MSPs don’t like to admit they’ve been hacked.
âThey don’t want to share that their users’ information has been stolen because it can be detrimental to their bottom line and the course of their actions, so they try to manage this internally,â he said.
âThe MSP community is not perfect,â said Weaver. âOur members face many cyber attacks and their job is to protect their customers from these things. For 21 years, MSPAlliance has strived to promote best practices for our global community, and we will continue to improve gradually as quickly and as often as possible. “
But Weaver said criticism of MSPs for not paying enough attention to cybersecurity is misplaced.
âMSPs have urged their customers to make easy and inexpensive fixes, such as adopting multi-factor authentication to back up their data to the cloud,â Weaver said. âBut I have personally witnessed a lot of nonconformities among customers. They must end up paying and allowing MSPs to deploy these fixes. “
The Biden administration has also used various tools this year in an attempt to protect US targets from Russian and foreign hackers. In May, President Joe Biden released a decree for U.S. authorities to tighten cybersecurity contractual requirements for IT companies working with the federal government. The ordinance said businesses should be required to share more information with federal agencies about cyber incidents affecting the IT services provided to those agencies.
In an earlier action in April, the Biden administration sanctioned six Russian tech companies for supporting what he called the malicious cyber activities of the Russian intelligence services.
Senior U.S. officials have also used diplomacy to try to expand international participation in a Ransomware Initiative (IRC). According to a statement by the United States National Security Council released on Wednesday, Deputy National Security Advisor Anne Neuberger briefed representatives from 35 countries on Tuesday of the results of last month’s first IRC meeting of forces experts. law enforcement, cybersecurity, financial regulators and foreign ministries.
Chris Morgan, intelligence analyst for UK cybersecurity firm Digital Shadows, told VOA that the more stringent cybersecurity practices imposed by the US government for federal contractors will not necessarily be adopted voluntarily by IT companies operating in the private sector. . One such mandatory practice is for federal contractors to adopt a “zero trust” security model, in which users who connect to a network are not automatically allowed to do whatever they want within that network. , but must instead undergo continuous authentication.
Increased role of government
âImplementing zero trust is a real change in the way your network is managed and comes with significant costs. I think that’s the reason a lot of companies are reluctant to do it, âMorgan said. “I think a lot of people would like the US government to play a more active role in the fight against cybercrime [through promoting measures like zero-trust]. “
Weaver, of MSPAlliance, said applying federal cybersecurity regulations to the entire private sector was not a good idea because different industries, such as banking, healthcare and energy, have different IT needs.
He also said that the US government could effectively curb ransomware attacks by doing more to hold perpetrators accountable.
âCyber ââattacks are big business, but hackers are in countries beyond the reach of our law enforcement agencies,â Weaver said. âSo you have a business model that has no incentive to stop. And all we have are computer guards against these attacks. I just don’t think putting rules on goalies is going to solve this problem. “