Russian state-backed cyber spies behind the SolarWinds hacking campaign this week launched a targeted phishing attack on US and foreign government agencies and think tanks using an agency email marketing account United States for International Development (USAid), Microsoft said.
The effort has targeted around 3,000 email accounts in more than 150 different organizations, at least a quarter of which are involved in international development, humanitarian work and human rights, the Microsoft vice president wrote Thursday. Tom Burt in a blog post.
He did not specify which part of the attempts may have led to successful intrusions. Cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of phishing emails suggested the attacker “had probably some success in violating targets ”.
Microsoft has identified the group that carried out the attacks as Nobelium, originally from Russia and the same player behind the attacks on SolarWinds customers in 2020.
Burt said the campaign appeared to be a continuation of Russian hackers’ efforts to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets covered at least 24 countries.
The hackers gained access to USAid’s account at Constant Contact, an email marketing service, Microsoft said. The seemingly authentic phishing emails dated May 25 were believed to contain new information about the 2020 election fraud allegations and included a link to malware that allowed hackers to “gain persistent access to compromised machines ”.
Microsoft said in a separate blog post that the campaign is ongoing and has evolved from several waves of spear-phishing campaigns first detected in January that turned into this week’s mass mailings. .
It comes weeks after a May 7 ransomware attack on Colonial Pipeline shut down the United States’ largest fuel pipeline system for days, disrupting supply.
The SolarWinds hack began as early as March 2020, when malicious code was introduced into updates to popular software called Orion, created by the company, which monitors corporate and government computer networks for outages. This malware gave elite hackers remote access to an organization’s networks so that they could steal information.
The hacking campaign, which infiltrated dozens of private sector companies and think tanks, as well as at least nine U.S. government agencies, was extremely stealthy and continued through most of 2020 before being detected in December by cybersecurity company FireEye. In contrast, this new campaign is what cybersecurity researchers call loud and easy to detect.
Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the software update supply chain from a trusted technology vendor; this campaign relied on a mass messaging provider. With both methods, the company said, hackers are undermining trust in the tech ecosystem.
Microsoft President Brad Smith previously described the SolarWinds attack as “the largest and most sophisticated attack the world has ever seen.”
This month, Russia’s spy chief denied responsibility for the SolarWinds attack, but said he was “flattered” by accusations by the United States and Britain that Russian foreign intelligence were behind such a sophisticated hack.
The United States and Britain blamed Russia’s Foreign Intelligence Service, the successor to the KGB’s foreign espionage operations, for the hack.
Associated Press and Reuters contributed to this report