The Russian hackers behind the SolarWinds attack are now targeting third sector organisations and government agencies, Microsoft warns.
The Redmond-headquartered tech titan said in a blog on Thursday that Nobelium, the hacking group behind that initial digital assault, has now targeted 3,000 email accounts across 150 organisations.
The brunt of the attacks targeted US entities, but Nobelium also attacked organisations in a total of 24 countries.
“At least a quarter of the targeted organisations were involved in international development, humanitarian, and human rights work,” said Tom Burt, corporate vice president of customer security and trust at Microsoft.
“Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”
The SolarWinds supply chain attack was dubbed Sunburst. It first came to light in December 2020. It compromised US government departments like Energy, the Treasury and Commerce as well as a total of 18,000 organisations across the globe.
In April, both US and UK intelligence agencies officially stated that the SolarWinds hackers belonged to the Russian Foreign Intelligence Service, the Sluzhba Vneshney Razvedki (SVR), descendant of the foreign-operations arms of the Cold War KGB.
Microsoft said the SolarWinds attackers had launched their new campaign by gaining access to an email marketing account of the United States Agency for International Development (USAID).
Using the account, Nobelium was able to distribute phishing emails that included a link that inserted a malicious file to mount a backdoor called NativeZone.
“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Burt said.
Microsoft said the SolarWinds attackers’ assault was blocked automatically and that Windows Defender has proven successful against the malware.
“We’re also in the process of notifying all of our customers who have been targeted,” Burt said. “We detected this attack and identified victims through the ongoing work of the MSTIC team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”
Microsoft noted that Nobelium seemed to be using a similar playbook to the SolarWinds attack as it gained access to a trusted organisation and then used its access as a springboard to launch its attack against others.
Burt also noted that “Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating.”
Other Russian hackers, known to security pros under such names as Strontium, aka Fancy Bear, have previously targeted anti-doping organisations, major elections and healthcare organisations.
Burt finished the blog by nothing that nation-state cyberattacks aren’t slowing.
“We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules,” Burt said.
“We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace. ”
The news comes just weeks before Joe Biden is due to meet Vladimir Putin in Switzerland. The two presidents will use the face-to-face meeting to address the mounting tension between the two countries.