Hackers Behind SolarWinds Attack Target 150 Organizations in New Cyber Campaign

By Tom Ozimek
Tom Ozimek
Tom Ozimek
Reporter
Tom has a broad background in journalism, deposit insurance, marketing and communications, and adult education. The best writing advice he's ever heard is from Roy Peter Clark: 'hit your target' and 'leave the best for last.'
May 28, 2021 Updated: May 28, 2021

Microsoft said the hackers behind the SolarWinds cyberattack have launched a fresh campaign targeting over 150 government agencies, think tanks, and non-governmental organizations.

The Russian-based hacking group, which goes by various names including Nobelium, launched the new attack after gaining access to an email marketing service used by the United States Agency for International Development (USAID), Microsoft said in a Thursday blog post.

After accessing USAID’s email marketing account, the hackers distributed phishing emails that contained a link to a malicious file that enabled data theft and infection of other computers, according to Tom Burt, Microsoft vice president of customer security and trust.

“Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt wrote in the post.

The campaign targeted some 3,000 email accounts across over 150 organizations, Burt wrote. While most of the targets were in the United States, the attack spanned at least 24 countries, he added.

Cybersecurity firm Volexity, which also tracked the attacks, wrote in a post that it believes the operation was likely launched by APT29, a so-called “advanced persistent threat” Russian hacker group believed to be associated with Russian intelligence services. The group has various nicknames, including Cozy Bear, Nobelium, and Dark Halo.

“While Volexity cannot say with certainty who is behind these attacks, it does believe it has the earmarks of a known threat actor it has dealt with on several previous occasions,” the cybersecurity firm wrote, noting a number of attack attributes used in this campaign that were consistent with previous tactics used by APT29.

“After a relatively long hiatus with no publicly detailed spear phishing activity, APT29 appears to have returned,” Volexity wrote, adding that the files used in the attack have “relatively low static detection rates,” which “suggests the attacker is likely having some success in breaching targets.”

A previous hack of information technology company SolarWinds, which was identified in December, has been attributed with a high degree of confidence to the Russian intelligence-linked APT29 group.

The United States and Britain have blamed Russia’s Foreign Intelligence Service, successor to the foreign spying operations of the KGB, for the SolarWinds hack, which compromised nine U.S. federal agencies and hundreds of private sector companies.

This month, Russia’s spy chief denied responsibility for the SolarWinds cyber attack but said he was “flattered” by the accusations that Russian foreign intelligence was behind such a sophisticated hack.

News of the fresh wave of cyberattacks attributed to APT29 comes weeks after a May 7 ransomware attack on Colonial Pipeline shut the United States’ largest fuel pipeline network for days, disrupting supply, sending gasoline prices soaring, and driving panic buying at the pumps.

Tom Ozimek
Tom Ozimek
Reporter
Tom has a broad background in journalism, deposit insurance, marketing and communications, and adult education. The best writing advice he's ever heard is from Roy Peter Clark: 'hit your target' and 'leave the best for last.'