SolarWinds Hackers Go Phishing
By Sarah Coble
American multinational technology company Microsoft says that the threat group behind the Microsoft and SolarWinds hack has launched a massive new phishing campaign targeting government agencies, NGOs and think tanks.
Last year, an advanced persistent threat (APT) group exploited vulnerabilities in Microsoft and SolarWinds programs to carry out a supply-chain attack that trojanized SolarWinds' Orion business software updates to distribute malware. Nine US federal agencies and over 100 companies were targeted.
According to Microsoft, Russian-based APT group Nobelium was not only behind that attack but is now running a phishing campaign that has already targeted thousands of email accounts around the world.
"This week we observed cyber-attacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations," wrote Microsoft's vice president of customer security and trust, Tom Burt, in a blog post published on Thursday.
"This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations."
Burt said that organizations in at least 24 different countries were impacted, with the majority of victims located in the United States.
At least one in four of the organizations targeted are involved in international development, humanitarian, and human rights work.
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," wrote Burt.
Nobelium launched the phishing campaign by gaining access to the Constant Contact account of USAID.
"From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone," wrote Burt.
"This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network."
Digital Shadows threat researcher Stefano De Blasi said that Nobelium's alleged malicious activity exemplified how targeted phishing campaigns still constitute a serious threat against institutions of any kind.
He added: "This campaign is the latest testament to this group's objective of collecting sensitive and highly valuable information from Western organizations operating in the government and external affairs field."