The group behind the massive SolarWinds hacks has also been running a sophisticated email-based spear-phishing campaign, according to Microsoft. In a blog post by company VP Tom Burt, he said the Microsoft Threat Intelligence Center (MSTIC) has detected a wave of cyberattacks by the group called Nobelium against government agencies, think tanks and non-governmental organizations. Nobelium apparently sent out 3,000 emails to 150 organizations after getting access to Constant Contact, the mass mailing service used by the United States Agency for International Development or USAID.
While most of the targets are in the United States, they're spread out in 24 countries overall. At least a quarter of the intended victims are involved in humanitarian and human rights work and, hence, may be the most vocal critics of Russian president Vladimir Putin. The SolarWinds attack is believed to be a Russian-backed campaign, and the United States government retaliated by expelling 10 Russian diplomats from Washington, DC. The Treasury Department also imposed sanctions on six Russian technology companies that were allegedly involved in the creation of malicious tools for cyberattacks.
According to Microsoft, it first detected the campaign on January 25th, though Nobelium wasn't leveraging USAID's Constant Contact account to phish targets back then. The campaign has evolved several ways since, and it was only on May 25th that MSTIC determined an escalation on the group's part when it sent out 3,000 emails with legitimate-looking USAID addresses through the mailing service.
Thankfully, most of the emails were blocked by automated threat detection systems due to the high volume of emails that were sent out. Further, the contents were anything but subtle. The New York Times says one of the emails blasted out highlighted a message claiming that "Donald Trump has published new emails on election fraud." It then linked to a URL that downloads malware into the victim's computer when clicked. Microsoft says some of the earliest emails that went out may have been successfully delivered, though, and it's advising potential targets to make sure they're sufficiently protected.
Burt wrote in his post:
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts... when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem."
The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves, demonstrating experimentation. On May 25, the campaign escalated as it leveraged a legitimate mailing service to masquerade as a U.S.-based development organization.
— Microsoft Security Intelligence (@MsftSecIntel) May 28, 2021