Microsoft has raised the alarm over a “sophisticated” ongoing cyberattack believed to be from the same Russia-linked hackers behind the SolarWinds hack. In a blog post, Tom Burt, Microsoft’s corporate vice president for customer security and trust, said the attack appears to be targeting government agencies, think tanks, consultants, and NGOs. In total, around 3,000 email accounts are believed to have been targeted across 150 organizations. Victims are spread across upward of 24 countries, but the majority are believed to be in the US.
According to Microsoft, hackers from a threat actor called Nobelium were able to compromise the US Agency for International Development’s account on a marketing service called Constant Contact, allowing them to send authentic-looking phishing emails. Microsoft’s post contains a screenshot of one of these emails, which claimed to contain a link to “documents on election fraud” from Donald Trump. However, when clicked, this link would install a backdoor that let the attackers steal data or infect other computers on the same network.
Phishing emails were sent from the US Agency for International Development
“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts,” a spokesperson for Constant Contact said in a statement. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”
Microsoft says it believes that many of the attacks were blocked automatically, and that its Windows Defender antivirus software is also limiting the spread of the malware. The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security has acknowledged Microsoft’s blog post and encouraged administrators to apply the “necessary mitigations.”
This salvo of malicious emails is a warning that supply chain cyberattacks against US organizations are showing no signs of slowing, and that hackers are updating their methods in response to previous attacks becoming public. In its post, Microsoft calls for new international norms to be established governing “nation-state conduct in cyberspace” along with expectations of the consequences for breaking them.
The US government has blamed SVR, the Russian foreign intelligence service, for the SolarWinds hack, Bloomberg notes, although Russia’s president Vladimir Putin has denied Russian involvement. The attack is believed to have compromised around 100 private sector companies and nine federal agencies. Up to 18,000 SolarWinds customers are believed to have been exposed to the malicious code. In response, President Biden announced new sanctions on Russia and moved to expel 10 Russian diplomats from Washington, Bloomberg reports.