The Russian-based group behind the SolarWinds hack has launched a new campaign that appears to target government agencies, think tanks and non-governmental organizations, Microsoft said Thursday.
Nobelium launched the current attacks after gaining access to an email marketing service used by the United States Agency for International Development, or USAID, according to Microsoft.
“These attacks appear to be a continuation of Nobelium’s multiple efforts to target government agencies involved in foreign policy as part of intelligence-gathering efforts,” wrote Tom Burt, vice president of customer security and trust. at Microsoft, in a blog post.
The campaign, which Microsoft called an active incident, targeted 3,000 email accounts in 150 organizations, mostly in the United States, Burt said. But the targets are in at least 24 countries. At least a quarter of the targeted organizations are said to be involved in activities such as international development and human rights.
The effort involved sending phishing emails that looked legitimate but designed to deliver malicious files.
Cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, wrote in an article that the relatively low detection rates of phishing emails suggest the attacker had ” probably succeeded in violating targets, ”the Associated Press reported. .
Microsoft did not say whether or how many attempts were successful. He said many high-volume campaign emails were reportedly blocked by automated systems.
The email campaign has been running since at least January and has evolved over the waves, Microsoft said in a separate blog post.
Microsoft said in Thursday’s blog that Nobelium’s spear-phishing is recurring. “It is expected that additional activities can be carried out by the group using an evolving set of tactics,” he said.
Nobelium, Burt said, accessed the USAID account with Constant Contact, a mass mail service.
On Wednesday, emails purported to appear to be from USAID were sent, some of which mentioned “special alert” and “Donald Trump released new documents on voter fraud,” Microsoft said.
The link ultimately ends up in the infrastructure controlled by Nobelium, which delivers a malicious file. Delivering the malicious files allows Nobelium “persistent access to compromised machines,” Microsoft said.
Burt said Microsoft detected the attack through the work of its Threat Intelligence Center to track down “nation-state actors.” He wrote that the company has no reason to believe that there is a vulnerability with its products or services.
The SolarWinds attack, which was discovered late last year, involved pirating widely used software manufactured by the Texas-based company and led to infiltration of at least nine federal agencies and dozens of federal agencies. ‘companies.
Microsoft President Brad Smith called it “the biggest and most sophisticated attack the world has ever seen.”
The Associated Press contributed.