SolarWinds hackers are back, targeting 150 organizations, Microsoft warns
The Russian group behind the SolarWinds hack has launched a new campaign that appears to target government agencies, think tanks and non-governmental organizations, researchers said Thursday.
The prolific hacker group, which Microsoft calls Nobelium and generally believed to be led by the Russian Foreign Intelligence Service, or SVR, launched the current attacks after gaining access to a used email marketing service. by the United States Agency for International Development, or USAID. , according to Microsoft.
“These attacks appear to be the continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence-gathering efforts,” wrote Tom Burt, vice president of customer security and trust. from Microsoft, in a blog post.
The campaign, which Microsoft described as an active incident, targeted 3,000 email accounts in 150 organizations, mostly in the United States, he said. But the goals are in at least 24 countries. At least a quarter of the targeted organizations are said to be involved in missions, particularly in the field of international development and human rights.
The effort was to send phishing emails. Cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, wrote in a blog post that relatively low detection rates of phishing emails suggest the attacker has “probably succeeded in violating targets”.
The Russian Foreign Ministry did not immediately respond to a request for comment. SVR director Sergei Naryshkin previously scoffed at claims by the US and UK governments that his agency was responsible for the SolarWinds hack.
Microsoft did not say whether or how many attempts were successful. He said many high-volume campaign emails were reportedly blocked by automated systems.
The email campaign has been going on since at least January and has evolved over waves, he said in a separate blog post.
Microsoft said in Thursday’s blog that the Nobelium spear campaign is underway. “It is expected that additional activities can be carried out by the group using an evolving set of tactics,” he said.
Nobelium, Burt said, accessed the USAID account with Constant Contact, a mass messaging service.
In an emailed statement, a spokesperson for Constant Contact said the compromise of the USAID account on its platform was “an isolated incident” and that the company had temporarily disabled accounts that may have been affected.
On Tuesday, emails purported to resemble USAID’s were sent, including some that said “special alert” and “Donald Trump released new documents on voter fraud,” Microsoft said.
If users click on the link, a malicious file is installed in their system which allows Nobelium to gain access to the compromised machines, Microsoft said.
Burt said Microsoft detected the attack through the work of its Threat Intelligence Center in tracking “nation state actors.” He wrote that the company has no reason to believe that there is a vulnerability in its products or services.
The SolarWinds attack, which was discovered late last year, involved the pirating of widely used software manufactured by the Texas company and led to infiltration of at least nine federal agencies and dozens of companies. .
Microsoft President Brad Smith called it “the biggest and most sophisticated attack the world has ever seen.”
Prior to the SolarWinds campaign, the SVR was more widely known for its spearphishing campaigns, making USAID a throwback for the agency, said John Hultquist, director of intelligence analysis at Mandiant, a cybersecurity firm. who also followed the campaign.
“It has turned over the rotation of SolarWinds,” he said. “It’s a reminder that espionage is not going to go away. You’re not going to convince the Russians to stop spying.
A forensic investigation into the incident is underway, USAID said in a statement.
“USAID has notified and is working with all relevant federal authorities, including the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” the agency added.
A spokesperson for the CISA said the agency was working with the FBI to combat “malicious activity” and had yet to “identify a significant impact on federal government agencies resulting from such activity.”
“CISA continues to work with the FBI to understand the scope of these activities and to assist potentially affected entities.” While many organizations have controls in place to block malicious emails and prevent associated impacts, we encourage all organizations to review our Activity Alert and take action to reduce their exposure to these types of threats. The spokesperson said in a statement.
CORRECTION (May 28, 2021, 5:45 p.m. ET) An earlier version of this article incorrectly stated when phishing emails were sent. They were sent on Tuesday, not Wednesday.
The Associated Press contributed.