Russia-linked hackers behind the SolarWinds attack have been targeting government agencies, think tanks and non-governmental organizations through the email system of the U.S. Agency for International Development (USAID), Microsoft said late Thursday.
The wide-scale attack was uncovered this week by the Microsoft Threat Intelligence Center who on Thursday identified the group responsible in a statement as Nobelium, which has been blamed for the November attack through widely used SolarWinds software that aided the breach of at least nine U.S. federal agencies as well as dozens of companies, including Fortune 500 businesses.
Microsoft said it had first noticed the campaign in January but on Tuesday Nobelium escalated the effort by accessing the Constant Contact email service of the USAID from which it distributed malicious links through authentic-looking emails to organizations and industries. When the link’s clicked, a malicious file would create a so-called back door to the computer that would enable the stealing of data and the ability to infect other computers on the network, it said.
Though there were several iterations of the email, one example shared by Microsoft attempts to convince recipients to click on the link by advertising it as a USAID special alert, stating “Donald Trump has published new documents on election fraud.”
Microsoft said due to the high volume of emails distributed in the campaign, most were blocked by threat detention systems and marked as spam.
“However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place,” Microsoft said.
This spear-phishing scheme targeted some 3,000 individual accounts across more than 150 organizations, it said.
“While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries,” Tom Burt, corporate vice president at Microsoft’s Customer Security and Trust department, said in a blog post. “At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.”
Burt said this attack combined with the SolarWinds attack shows the continuation of an effort to gain access as part of intelligence gathering efforts by this group to agencies concerned with foreign policy.
The attack also shows a pattern that Nobelium attempts to gain access to its victims through trusted technology providers, which increases the odds of creating collateral damage through undermining the trust of technology, he said.
It also shows that Nobelium and other similar threat actors target humanitarian and human rights organizations and that nation-state cyberattacks are only increasing.
Cybersecurity firm Volexity also said in a blog post it had observed the campaign and that there has been a relatively low detection rate suggesting “the attacker is likely having some success in breaching targets.”
Microsoft warned Nobelium’s spear-phishing operations have been reoccurring and increasing in frequency and scope and that it expects “additional activity may be carried out by the group using an evolving set of tactics.”
A spokesperson with the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security told a U.S. news daily that they were “aware of the potential compromise” and were “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
The attack was uncovered weeks before President Joe Biden is to meet Russian President Vladimir Putin for a summit on June 16 in Geneva, Switzerland, where it is anticipated that the recent cyberattacks will be discussed.