The Russia-based group behind the SolarWinds hack has launched a new campaign that appears to be targeting government agencies, think tanks and non-governmental organizations, Microsoft said Thursday.
Nobelium launched the current attacks after Microsoft said it gained access to an email marketing service used by the United States’ International Development Agency (USAID).
“These attacks appear to be a continuation of Nobelium’s multiple intelligence-gathering efforts to target foreign policy agencies,” wrote Tom Burt, Microsoft vice president of customer security and trust in a blog post.
The campaign, which Microsoft described as an active incident, targeted 3,000 email accounts in 150 organizations, mostly in the US, Burt said. However, the targets are in at least 24 countries. At least a quarter of the target organizations are said to be involved in things like international development and human rights work.
The effort involved sending phishing emails that looked legitimate but were supposed to deliver malicious files.
Cybersecurity firm Volexity, which also tracked the campaign but has less insight into email systems than Microsoft, wrote in a post that relatively low detection rates of phishing emails suggest that the attacker is “likely to have some success in the.” Had violation of goals, “reported the Associated Press.
The email campaign has been running for at least January and has developed over waves, Microsoft said in a separate blog post.
According to Burt, Nobelium accessed the USAID account at Constant Contact, a mass mailing service.
On Wednesday, emails that appeared to be from USAID were sent out, including some labeled “Special Alert” and “Donald Trump released new documents on election fraud,” Microsoft said.
The link ultimately leads to an infrastructure controlled by Nobelium that delivers a malicious file. By providing the malicious files, Nobelium has “permanent access to compromised computers,” according to Microsoft.
According to Burt, Microsoft discovered the attack through its Threat Intelligence Center’s work in tracking “nation-state actors”. He wrote that the company has no reason to believe that there is a vulnerability in its products or services.
The SolarWinds attack, discovered late last year, involved hacking widespread software from the Texas-based company and infiltrated at least nine federal agencies and dozen of companies.
Microsoft President Brad Smith called it “the biggest and most sophisticated attack the world has ever seen”.
The Associated Press contributed.