Skip to content

Illustration by Security Management

Hacking Group Behind SolarWinds Conducts Massive Phishing Campaign, Microsoft Says

Hackers gained access to an email marketing service account used by a U.S. State Department agency to carry out a string of attacks on other agencies, think tanks, consultants, and non-governmental organizations (NGO), Microsoft announced Thursday evening.

Nobelium, a threat actor from Russia that was also behind the SolarWinds compromises, targeted 3,000 email accounts at more than 150 different organizations in 24 countries. Microsoft’s Tom Burt, corporate vice president, customer security and trust, described the latest campaign as a continuation of its efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts.

“Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID,” Burt wrote in a corporate blog post. “Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”

Nobelium is also linked to the 2016 breach of the Democratic National Committee and this week’s intrusion shows the threat actor is still interested in spreading misinformation about the U.S. electoral process.

“One of the phishing emails contains a document purporting to come from USAID claiming that former President Donald Trump has ‘published new documents on election fraud,’” CyberScoop reports.

Microsoft’s Windows Defender is automatically blocking the malware used in the attack, and Burt said Microsoft is notifying all impacted customers. The attack does not appear to exploit any vulnerabilities in Microsoft’s products or services, but Burt added that it was notable for three reasons—including that Nobelium’s activities and those of other Russian actors have become a tool of choice for some nation-states to accomplish their political objectives, and that these types of attacks are not slowing down.

Burt also highlighted that when paired with the attack on SolarWinds, “it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”

This most recent incident comes just weeks after U.S. President Joe Biden’s administration announced sanctions against Russia for the SolarWinds supply chain attack that impacted at least nine government agencies and hundreds of private companies. Both the United States and the United Kingdom said the attack was carried out by Russia’s Foreign Intelligence Service (SVR), formerly the foreign spying operations of the KGB.

“This month, Russia’s spy chief denied responsibility for the SolarWinds cyberattack but said he was ‘flattered’ by the accusations from the United States and Britain that Russian foreign intelligence was behind such a sophisticated hack,” Reuters reports. 

Biden is preparing to meet Russian President Vladimir Putin in person in Switzerland in June—the first in-person meeting for the two presidents. NBC News reports that Biden plans to address a range of issues with Putin, including the New Strategic Arms Reduction Treaty on nuclear weapons control, Ukraine, and the recent ransomware attack on Colonial Pipeline.

“Biden has spoken on the phone twice with Putin since taking office,” NBC News said. “The White House has been discussing the possibility of a meeting between the two leaders for weeks. National security adviser Jake Sullivan met with his Russian counterpart on Monday to discuss the U.S.-Russia summit, according to the White House.”