REDMOND, Wash. — The same Russian group behind the SolarWinds hacking campaign launched another wave of attacks this week on government agencies, think tanks, consultants, and non-governmental organizations, Microsoft announced.
Tom Burt, the technology company’s Vice President of Customer Security and Trust, said in a blog post on Thursday that the threat actor Nobelium targeted about 3,000 email accounts at more than 150 organizations in at least 24 countries, with most of the targets in the U.S.
Burt said at least a quarter of the targeted organizations are involved in international development, humanitarian, and human rights work.
“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt wrote.
Burt said Nobelium launched this week’s attacks by gaining access to the “Constant Contact” account of the U.S. Agency for International Development (USAID). It’s a service used for email marketing.
From there, Burt says the group was able to distribute phishing emails that looked authentic, but they included a link that, when clicked, inserted a malicious file used to distribute a backdoor called "NativeZone."
“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Burt wrote.
Many of the attacks targeting Microsoft’s customers were automatically blocked and Windows Defender is blocking the malware involved in this attack, according to Burt. Microsoft is working on notifying its customers who were targeted.
Burt said the company has no reason to believe the attacks involve any exploit against or vulnerability in Microsoft’s products or services.
Microsoft says the attacks are notable for three reasons.
First, it’s clear that gaining access to trusted technology providers and infecting their customers is part of Nobelium’s playbook. Second, the group’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. And third, nation-state cyberattacks aren’t slowing.