After a China-based cyberattack that hit its business email servers earlier this year, Microsoft has now warned against an ongoing “sophisticated” attack from Russia-based threat actors targeting government agencies, think tanks, consultants, NGOs and its customers across the globe.
Touted as the same Russia-based hackers behind the infamous SolarWinds software hack, the latest attack by the group named ‘Nobelium’ has targeted around 3,000 email accounts across 150 organisations.
“While organisations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organisations were involved in international development, humanitarian, and human rights work,” said Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft.
“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt said in a statement on Friday.
“Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack. We’re also in the process of notifying all of our customers who have been targeted,” he informed.
‘Nobelium’ launched the attacks by gaining access to the Constant Contact account of USAID.
Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone.
“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Microsoft said.
Nine federal agencies and about 100 private sector companies were compromised as a result of the SolarWinds hack.
After SolarWinds, at least 30,000 organisations across the US, including government and commercial firms, were hit by China-based espionage group called ‘Hafnium’ earlier this year, who exploited four vulnerabilities in Microsoft Exchange Server email software.
“While Hafnium is based in China, it conducts its operations primarily from leased virtual private servers (VPS) in the US,” Burt had said in March.
Alarmed at repeated cyber-attacks on the country especially after at a key fuel pipeline last week, US President Joe Biden this month signed an executive order, implementing new policies to improve national cybersecurity.