The state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted phishing assault on US and foreign government agencies and thinktanks this week using an email marketing account of the US Agency for International Development (USAid), Microsoft has said.
The effort targeted about 3,000 email accounts at more than 150 different organisations, at least a quarter of them involved in international development, humanitarian and human rights work, the Microsoft vice-president Tom Burt wrote in a blog post late on Thursday.
It did not say what portion of the attempts may have led to successful intrusions. The cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of the phishing emails suggested the attacker was “likely having some success in breaching targets”.
Microsoft identified the group carrying out the attacks as Nobelium, originating from Russia and the same actor behind the attacks on SolarWinds customers in 2020.
Burt said the campaign appeared to be a continuation of efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence-gathering efforts”. He said the targets spanned at least 24 countries.
The hackers gained access to USAid’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails dated 25 May purported to contain new information on 2020 election fraud claims and included a link to malware that allowed the hackers to “achieve persistent access to compromised machines”.
Microsoft said in a separate blogpost that the campaign was ongoing and evolved out of several waves of spear-phishing campaigns it first detected in January that escalated to the mass mailings of this week.
It comes weeks after a 7 May ransomware attack on Colonial Pipeline shut the US’s largest fuel pipeline network for several days, disrupting supply.
The SolarWinds hack began as early as March 2020 when malicious code was sneaked into updates to popular software called Orion, made by the company, which monitors the computer networks of businesses and governments for outages. That malware gave elite hackers remote access to an organisation’s networks so they could steal information.
The hacking campaign, which infiltrated dozens of private sector companies and thinktanks as well as at least nine US government agencies, was supremely stealthy and carried on for most of 2020 before being detected in December by the cybersecurity firm FireEye. By contrast, this new campaign is what cybersecurity researchers call noisy and easy to detect.
Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider’s software updates; this campaign piggybacked on a mass email provider. With both methods, the company said, the hackers undermine trust in the technology ecosystem.
The Microsoft president, Brad Smith, has previously described the SolarWinds attack as “the largest and most sophisticated attack the world has ever seen”.
This month, Russia’s spy chief denied responsibility for the SolarWinds attack but said he was “flattered” by the accusations from the US and Britain that Russian foreign intelligence was behind such a sophisticated hack.
The US and Britain have blamed Russia’s foreign intelligence service), successor to the foreign spying operations of the KGB, for the hack.