SolarWinds hackers resurface to attack government agencies and think tanks

Operating in Russia, the Nobelium cybercrime group has targeted 3,000 email accounts across more than 150 organizations, says Microsoft.

istock-958122884.jpg

NicoElNino, Getty Images/iStockphoto

The group behind the infamous SolarWinds hacks is on another cyberattack spree, this time targeting not just government agencies but others as well. In a report published Thursday, Microsoft revealed that the threat actor Nobelium launched a series of attacks this past week against government agencies, think tanks, consultants, and non-governmental organizations. More than 25% of the victims were involved in international development, humanitarian and human rights work, according to Microsoft.

SEE: Incident response policy (TechRepublic Premium)

More about cybersecurity

Affecting more than 150 different organizations, the attacks targeted 3,000 separate email accounts. Many of the attacks were blocked automatically by security software, with Microsoft’s Windows Defender catching the malware used to try to compromise the organizations.

Identifying the culprit as Nobelium, Microsoft pointed out that this is the same group behind the SolarWinds hack in 2020. Those attacks, which exploited a security hole in a SolarWinds monitoring tool, hit different government agencies and were deemed to be sponsored by Russia. Microsoft called the latest incident a continuation of different information gathering efforts by Nobelium to target government agencies involved in foreign policy.

This week’s attacks started after Nobelium was able to compromise an account used by the United States Agency for International Development (USAID), which manages civilian foreign aid and assistance. Specifically, the group gained access to the USAID’s account for Constant Contact, a service used for email marketing.

After the initial access, the attackers were able to send out phishing emails impersonating ones from the USAID. But these emails came with a malicious file attachment that if opened deployed a backdoor malware known as NativeZone, capable of stealing data and infecting other networked computers.

In its report, Microsoft cited different reasons why these latest attacks are alarming.

As a follow-up to the SolarWinds attack, the compromise of Constant Contact shows that Nobelium is trying to gain access to trusted technology companies as a way to infect their customers. In the SolarWinds hack, the group exploited the software update process for the company’s Orion monitoring tool. In the latest attack, Nobelium has gone after mass email providers. These tactics increase the odds of real damage occurring in what is essentially an espionage operator and weakens trust in technology.

The attacks launched by Nobelium and other state-sponsored groups are targeted in the sense that they exploit concerns specific to a certain country at a certain time. Last year during the coronavirus outbreak, Russian cybercrime group Strontium targeted healthcare organizations working on vaccines. The year before, it went after sporting and anti-doping organizations. Strontium and other groups have also tried to affect elections in the U.S. and other countries.

This time, Nobelium aimed at humanitarian and human rights organizations. These trends reveal how cyberattacks are being used as political weapons by hostile nation states to undermine other countries.

As state-sponsored cyberattacks continue to increase, Microsoft pointed to the need for clear rules that control the activities of nation states in cyberspace and clear penalties for violating those rules. The company urged countries to rally around the Paris Call for Trust and Security in Cyberspace and follow the recommendations from the Cybersecurity Tech Accord and the CyberPeace Institute.

“The campaign highlighted by Microsoft is another example of how targeted phishing campaigns still constitute a serious threat against institutions of any kind,” said Digital Shadows threat researcher Stefano De Blasi. “Their ability to elicit strong emotional responses from the email recipients is a crucial factor accounting for their success and, simultaneously, makes them very hard to defend against.”

Protecting yourself and your organization against these types of attacks requires a twofold approach, according to De Blasi. First, you need to make sure your employees receive the proper security awareness training to enforce best practices. Second, you must continually update your endpoint detection to try to catch any malicious threats that get past your network or email layers.

Employee training certainly becomes more challenging when the sources behind the emails appear convincingly credible as in these Nobelium attacks. That’s why it’s important to supplement your defenses with tools that can stop these malicious messages before they reach someone’s inbox.

“Employees will have more difficulties with the distinction of good and bad, of trusted and untrusted, which increases the importance of having an onion layer approach to security controls, overlapping each other as a backup,” said Dirk Schrader, Global VP for security research at New Net Technologies.

“Prevention is rather difficult when a company is at the receiving end of such malicious campaigns using trusted but compromised accounts,” Schrader added. “The detection capabilities do gain importance, and along the cyber kill chain, it will be about detecting malicious changes as early as possible as they account for 85% of all incidents, according to Gartner.”

Also see