Incident: Microsoft Customer Service Breach by Nobelium: May 2021.

Published Date: 2021-06-25

Postmortem Analysis
Timeline 1. The software failure incident happened in the second half of May [115660, 115680]. Therefore, the estimated timeline for the incident would be May 2021.
System 1. Microsoft customer service agent's computer 2. Microsoft customer support tools 3. Microsoft Services subscriptions 4. Microsoft programs configurations 5. Microsoft employee accounts 6. Software instructions governing how Microsoft verifies user identities 7. SolarWinds software 8. SolarWinds customers' systems 9. Microsoft's own employee accounts 10. Microsoft's verification system [Cited Articles: #115660, #115680]
Responsible Organization 1. Nobelium [115660, 115680]
Impacted Organization 1. Microsoft customers [115660, 115680] 2. Microsoft Services subscribers [115660] 3. Three entities compromised in the phishing campaign [115680]
Software Causes 1. The software cause of the failure incident was a breach by the hacking group Nobelium, which accessed a computer used by a Microsoft customer service agent and stole account data, leading to highly targeted attacks on customers [115660, 115680]. 2. The breach involved the hackers infecting the computer with information-stealing software, allowing them to access billing contact information and services customers pay for, which they used in phishing attacks [115660, 115680]. 3. The incident also involved a broader phishing campaign that compromised a small number of entities, with the hackers using the compromised information to launch highly targeted attacks as part of their campaign [115680].
Non-software Causes 1. The breach was caused by a sophisticated nation-state associated actor identified as Nobelium [Article 115680]. 2. The U.S. government publicly attributed the earlier attacks to the Russian government, which denies involvement [Article 115680].
Impacts 1. Hackers breached a computer used by a Microsoft customer service agent and stole account data, leading to "highly targeted" attacks on customers [115660, 115680]. 2. The compromised data included billing contact information and services customers pay for, which could be used in phishing attacks [115660, 115680]. 3. Microsoft warned affected customers to exercise caution in communications with billing contacts, change related passwords and usernames, and use multi-factor authentication [115660, 115680]. 4. The breach was part of a broader phishing campaign that compromised a small number of entities [115680]. 5. The breach was attributed to a group identified as Nobelium, the same group behind the SolarWinds breach [115660, 115680]. 6. The impact of the breach was considered less serious than the SolarWinds incident, characterized as "largely unsuccessful, run-of-the-mill espionage" [115680].
Preventions 1. Implementing robust security measures such as multi-factor authentication to protect against unauthorized access [115660]. 2. Regularly monitoring and auditing customer service agent activities to detect any unusual behavior or unauthorized access [115680]. 3. Conducting thorough security training for employees and contractors who have access to sensitive information to prevent social engineering attacks [115680]. 4. Enhancing the security of customer support tools to prevent unauthorized access to customer data [115680].
Fixes 1. Enhancing cybersecurity measures, such as implementing stronger authentication methods like multi-factor authentication to protect against hacks [115660]. 2. Conducting thorough investigations to identify vulnerabilities and potential points of entry for hackers, and addressing them promptly [115660, 115680]. 3. Educating customers on how to recognize and avoid phishing attacks, including being cautious with communications to billing contacts and changing usernames and email addresses [115660, 115680]. 4. Implementing stricter access controls and monitoring of customer support tools to prevent unauthorized access and information leakage [115680].
References 1. Microsoft Security Response Center site [Article 115660] 2. Reuters [Article 115660, Article 115680] 3. U.S. government [Article 115680] 4. Department of Homeland Security [Article 115680] 5. White House official [Article 115680] 6. Homeland Security's Cybersecurity and Infrastructure Security Agency [Article 115680] 7. SolarWinds spokesperson [Article 115680]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident has happened again at Microsoft. The recent breach involving hackers accessing a computer used by a Microsoft customer service agent and stealing account data is reminiscent of the major SolarWinds breach from the previous year, which was also attributed to the same hacking group, Nobelium [115660, 115680]. (b) The software failure incident has also affected multiple organizations. The hacking group, Nobelium, responsible for the recent breach at Microsoft was also behind major breaches at SolarWinds and other entities. The broader phishing campaign mentioned in the articles had compromised a small number of entities beyond just Microsoft [115660, 115680].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the articles. Microsoft reported that hackers breached a computer used by one of its customer service agents, leading to the theft of account data used for "highly targeted" attacks on customers. This breach was attributed to the hacking group Nobelium, which was also behind the major SolarWinds breach last year [115660, 115680]. The incident highlights a failure in the design or security measures of the system that allowed unauthorized access to sensitive customer data. (b) The software failure incident related to the operation phase is also apparent in the articles. Microsoft mentioned that the compromised customer service agent had access to billing contact information and details about the services customers pay for. The attackers used this information to launch highly targeted attacks as part of their broader campaign, indicating a failure in the operation or misuse of the system [115680]. This breach underscores the importance of ensuring secure operation practices and access controls within organizations to prevent unauthorized use of sensitive data.
Boundary (Internal/External) within_system (a) within_system: The software failure incident reported in the articles is primarily due to contributing factors that originate from within the system. Microsoft mentioned that hackers breached a computer used by one of its customer service agents, infected it with information-stealing software, and used the stolen account data to launch "highly targeted" attacks on customers [115660]. The compromised customer service agent had access to billing contact information and services that customers pay for, which the hackers used in their attacks. Microsoft also identified the hacking group as Nobelium, the same group behind the major SolarWinds breach, indicating an internal breach within Microsoft's systems [115660, 115680].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident involving the breach of a computer used by a Microsoft customer service agent and the subsequent theft of account data by hackers was a result of non-human actions [115660]. - Hackers breached the computer and infected it with information-stealing software, leading to the theft of billing contact information and services customers pay for [115660]. - The breach was discovered by Microsoft while investigating new activity by the Nobelium group, indicating that the breach was initiated by external actors without human participation [115660]. (b) The software failure incident occurring due to human actions: - The incident involved an attacker gaining access to a Microsoft customer service agent and using that information to launch hacking attempts against customers, suggesting human actions played a role in the breach [115680]. - The compromised agent had limited powers but could access billing contact information and services customers pay for, which the attacker used in highly targeted attacks as part of a broader campaign [115680]. - Microsoft warned affected customers to be cautious about communications with billing contacts and consider changing usernames and email addresses, indicating the need for human actions to mitigate the impact of the breach [115680].
Dimension (Hardware/Software) hardware (a) The software failure incident reported in the articles is primarily related to a breach caused by hackers gaining access to a computer used by a Microsoft customer service agent. This breach led to the theft of account data, which was then used to launch "highly targeted" attacks on customers [115660, 115680]. The breach was attributed to the hacking group Nobelium, which was also responsible for the major SolarWinds breach in the past [115660, 115680]. The incident involved the compromise of customer support tools and access to billing contact information and services that customers pay for [115660, 115680]. (b) The software failure incident is not directly related to a software failure originating in the software itself, such as a bug or glitch. Instead, the incident is a result of hackers exploiting vulnerabilities in the system and gaining unauthorized access to sensitive information [115660, 115680].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious. Hackers breached a computer used by a Microsoft customer service agent and stole account data to launch "highly targeted" attacks on customers. The hacking group responsible for this breach was identified as Nobelium, the same group behind the major SolarWinds breach [115660, 115680]. The attackers accessed Microsoft customer support tools to review information regarding Microsoft Services subscriptions, indicating a deliberate attempt to compromise customer data and launch targeted attacks [115680]. The breach involved sophisticated nation-state associated actors, indicating a malicious intent to infiltrate and exploit Microsoft's systems and customer data [115680].
Intent (Poor/Accidental Decisions) accidental_decisions The software failure incident reported in the articles is related to a breach caused by a hacking group identified as Nobelium. The incident involved hackers breaching a computer used by a Microsoft customer service agent and stealing account data to launch "highly targeted" attacks on customers [115660, 115680]. This incident can be categorized under the intent of accidental_decisions, as it was not a deliberate action by the company but rather a result of the hackers exploiting vulnerabilities and gaining unauthorized access to customer data.
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the articles. Microsoft disclosed that hackers breached a computer used by one of its customer service agents, leading to the theft of account data used for "highly targeted" attacks on customers [115660]. This breach occurred due to the hackers infecting the computer with information-stealing software, indicating a security vulnerability that could have been prevented with better security measures in place. Additionally, the breach was linked to the same group, Nobelium, responsible for the major SolarWinds breach in the past, suggesting a failure to adequately address and mitigate risks from previous incidents. (b) The software failure incident related to accidental factors is also present in the articles. Microsoft mentioned that the compromised customer service agent had limited powers and could access billing contact information and services customers pay for [115680]. This access was exploited by the hackers to launch highly targeted attacks as part of a broader campaign. The breach was not attributed to the agent being tricked but rather to the actor using the available information, indicating an accidental exposure of sensitive data that could have been prevented with stricter access controls and monitoring mechanisms.
Duration temporary The software failure incident reported in the articles is temporary. The incident involved a breach where hackers accessed a computer used by a Microsoft customer service agent and stole account data to launch "highly targeted" attacks on customers. Microsoft identified the hacking group as Nobelium, the same group behind the SolarWinds breach last year. The breach occurred during the second half of May, and Microsoft has taken steps to secure the affected computer and notify the impacted customers [115660, 115680].
Behaviour value, byzantine (a) crash: - The incident involved hackers breaching a computer used by a Microsoft customer service agent and stealing account data to launch "highly targeted" attacks on customers [115660]. - The compromised computer was infected with information-stealing software [115660]. - Microsoft discovered the breach while investigating new activity by the hacking group Nobelium [115660]. - The incident was part of a broader campaign involving a phishing campaign that compromised a small number of entities [115680]. (b) omission: - The compromised customer service agent had access to billing contact information and services customers pay for, among other things [115680]. - The attackers used this information to launch highly targeted attacks as part of their broader campaign [115680]. (c) timing: - The hackers had access to information during the second half of May [115660, 115680]. (d) value: - The attackers used the stolen data, including billing contact information and services customers pay for, in phishing attacks to gain access to more sensitive information [115660, 115680]. (e) byzantine: - The incident involved a sophisticated nation-state associated actor identified as Nobelium accessing Microsoft customer support tools to review information regarding Microsoft Services subscriptions [115680]. - The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement [115680]. (f) other: - The incident involved a breach where the hackers used information from a compromised customer service agent to launch hacking attempts against customers [115680]. - The agent had limited powers and could see billing contact information and services customers pay for [115680]. - Microsoft warned affected customers to be cautious about communications with billing contacts and suggested changing related passwords and usernames [115660]. - The incident was not part of Nobelium's previous successful attack on Microsoft where they obtained some source code [115680].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence The consequence of the software failure incident described in the articles is primarily related to potential harm to people's material goods, money, or data (property) due to the breach by the hacking group Nobelium. Microsoft warned affected customers about the possibility of highly targeted attacks using the stolen information, such as billing contact information and services paid for, in phishing campaigns [115660, 115680]. The breach could lead to financial losses or data misuse for the impacted customers.
Domain information, finance, government (a) The software failure incident reported in the articles is related to the information industry, specifically in the context of customer service and account data management by Microsoft [115660, 115680]. (h) The incident also has implications for the finance industry as the hackers gained access to billing contact information and services that customers pay for, which could potentially be used in phishing attacks to manipulate financial transactions [115660, 115680]. (l) Additionally, the breach affected government agencies as part of the targeted attacks by the hacking group Nobelium, which has previously been associated with major breaches in government agencies [115660, 115680]. (m) The incident is also relevant to the technology industry, given that it involves breaches in software systems and customer support tools used by a tech giant like Microsoft [115660, 115680].

Sources

Back to List