Microsoft says SolarWinds hackers have struck again at the US and other countries
Microsoft says SolarWinds hackers have struck again at the US and other countries
According to Microsoft, the hackers responsible for one of the worst data breaches in US government history have launched a new global cyberattack on more than 150 government agencies, think tanks, and other organizations.
The group, which Microsoft refers to as "Nobelium," targeted 3,000 email accounts at various organizations this week, the company said in a blog post Thursday. The majority of the accounts were located in the United States.
It believes the hackers are members of the same Russian group responsible for last year's devastating attack on SolarWinds — a software vendor — in which at least nine US federal agencies and 100 businesses were targeted.
The US government has placed a premium on cybersecurity following revelations that hackers injected malicious code into a SolarWinds tool. A ransomware attack earlier this month that crippled one of America's most critical pieces of energy infrastructure — the Colonial Pipeline — has only added to the sense of alarm. According to the FBI, that attack was carried out by a Russian-based criminal group.
According to Microsoft (MSFT), at least a quarter of the targets of this week's attacks were engaged in international development, humanitarian, and human rights work in at least 24 countries. According to the statement, Nobelium launched the attack by gaining access to the US Agency for International Development's Constant Contact email marketing account (USAID).
"These attacks appear to be a continuation of Nobelium's previous efforts to target government agencies involved in foreign policy in order to gather intelligence," the company stated.
Pooja Jhunjhunwala, acting spokesperson for USAID, stated Friday that the agency was aware of "possibly malicious email activity" emanating from a compromised Constant Contact marketing account. Jhunjhunwala added that a forensic investigation into the incident is ongoing.
According to spokespeople, both the White House National Security Council and the US Cybersecurity and Infrastructure Security Agency (CISA) are aware of the incident. According to a spokesperson for CISA, the agency is "collaborating with the FBI and USAID to better understand the scope of the compromise and assist potential victims."
By gaining access to USAID's account, the hackers were able to send out phishing emails that "looked authentic but contained a link that, when clicked, inserted a malicious file," allowing the hackers to gain access to computers via a backdoor.
"This backdoor could be used for a variety of malicious activities, ranging from data theft to infecting other computers on a network," Microsoft stated.
One of the forged emails purporting to be from USAID contained an authentic sender address. The email was disguised as a "special alert" and invited recipients to click on a link to "view documents" on election fraud from former President Donald Trump.
Microsoft stated that a large number of the attacks were automatically blocked. The company is notifying affected customers and stated that it has "no reason to believe these attacks are the result of an exploit or vulnerability in Microsoft's products or services."
Constant Contact's spokesperson stated that the company is "aware that the account credentials of one of our customers have been compromised," describing the incident as "isolated." "We have temporarily disabled impacted accounts while we work with our customer and law enforcement," the spokesperson added.
At the time of the SolarWinds hack, US intelligence and law enforcement agencies stated that the group behind the attack "likely originated in Russia," and that the attack was suspected of being an act of espionage.
Microsoft reiterated those suspected motivations in a Thursday blog post, writing that "when combined with the SolarWinds attack, it's clear that part of Nobelium's playbook is to gain access to and infect trusted technology providers."
"By piggybacking on software updates and now mass email providers, Nobelium increases the likelihood of collateral damage during espionage operations and erodes trust in the technology ecosystem," the company stated.
According to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, the latest disclosure demonstrates how Russia has remained undeterred by recent US efforts to hold the Kremlin accountable and strengthen cybersecurity in the aftermath of the SolarWinds campaign.
"The Russians are pursuing a campaign of massive attacks against US targets, which they have no reason to abandon," Lewis explained. "They are unconcerned about the US response. They're putting the new administration to the test."
Dmitry Peskov, the Kremlin's spokesman, declined to comment on the specifics of Microsoft's allegations on Friday.
Conclusion
"To respond to your question, we must first address the following: which groups? Why are they inextricably linked to Russia? What was attacked by whom? What resulted from this? What was the nature of the attack? And how did Microsoft become aware of it? After we've addressed all of these points, we can consider the response [to your question] "Peskov stated during a conference call with reporters.
He added that he did not believe the allegations would have an impact on the upcoming US-Russian summit between President Joe Biden and Russian President Vladimir Putin.
Courses and Certification
Computer Security Course and Certificate
Information Security and Cyber Law Course and Certificate
Wireless Security Course and Certificate
Internet/Cyber Security Course and Certificate
Ethical Hacking Course and Certificate
Python Hacking Course and Certificate
Software Engineering Course and Certificate
