Microsoft said that Nobelium, a Russian-based hacking group, launched the phishing campaign by gaining access to a marketing account of the U.S. Agency for International Development. These SolarWinds hackers targeted 150 organizations with phishing.
Microsoft’s Insights on this Phishing Attack
The SolarWinds hackers have launched a campaign and appear to target government agencies. Microsoft said that “These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts”
This campaign targeted 3,000 email accounts across 150 organizations, mostly in the United States. But the targets are in at least 24 countries. At least a quarter of the targeted organizations are said to be involved in missions including international development and human rights work.
Added to it, Microsoft posted later about an ongoing process of the attack “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics”.
The Working of the Phishing Attack
Emails were sent that were meant to look like they were from USAID, including some that read “special alert” and “Donald Trump has published new documents on election fraud,” Microsoft said.
Phishing Email Appearing to come from USAID
If users click the link, a malicious file gets installed in their system that allows Nobelium access to the compromised machines according to Microsoft, but Burt said Microsoft detected the attack through the work of its threat intelligence center in tracking “nation-state actors.”
The SolarWinds attack, which was discovered late last year, involved hacking widely used software made by the Texas-based company and lead to the infiltration of at least nine federal agencies and dozens of companies.
A forensic investigation into the incident is ongoing, USAID said in a statement.
“USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” the agency added.
A CISA spokesperson said the agency is working with the FBI to address the “malicious activity” and has not yet “identified significant impact on federal government agencies resulting from these activities.”
CISA also released Python-based tool CHIRP that allows detecting malicious activity associated with the SolarWinds hackers in compromised on-premises enterprise Windows environments.
CISA continues to work with the FBI to understand the scope of these activities and assist potentially impacted entities. While many organizations have controls in place to block malicious emails and prevent associated impacts, we encourage all organizations to review the activity alert and take steps to reduce their exposure to these types of threats.