Russian hackers who breached SolarWinds’ IT management software to compromise a handful of U.S. government agencies and businesses are back in the limelight. Microsoft said Thursday that the same “Nobelium”; spy group had created a campaign. Aggressive phishing since January of this year and has increased dramatically this week. It targets approximately 3,000 individuals in more than 150 organizations in 24 countries.
The revelation caused panic. Focusing on Russia’s ongoing and ongoing digital espionage campaign. But it’s not shocking that Russia in general. And in particular, SolarWinds hackers continue to snoop. Even after the US It imposed retaliatory sanctions in April. And compared to SolarWinds, phishing campaigns are very common.
“I don’t think it’s an upgrade. I think it’s business as usual,” said John Hultquist, vice president of intelligence analysis at security firm FireEye, which first discovered the SolarWinds intrusion. “I don’t think they were intercepted. And I think they are unlikely to be hindered.”
Russia’s latest campaign is worth calling out. Nobelium compromised legitimate accounts from a number of email services Constant Contact, including those of the US Agency for International Development. From there, hackers reported being members of the unit. Russian foreign intelligence SVR is able to send specially crafted phishing emails that come from the email accounts of the organizations they actually impersonate. The email contains a valid link that then redirects to the malicious Nobelium infrastructure and installs malware to control the target device.
Although the number of targets seems large, and USAID works with a lot of people in sensitive positions. The actual impact may not be as severe as it initially sounds, although Microsoft has acknowledged that some messages may pass through. But the company says its automated spam systems have blocked many phishing messages. Tom Burt, Microsoft vice president of security and customer trust, wrote in a blog post Thursday that the company views activity as “complex” and that Nobelium can. Develop and improve campaign strategies for several months before reaching goals this week.
“It is likely that these observations represent changes in the skill of the actors and possible experimentation following widespread disclosure of previous events,” Bert wrote. This could be the pivot point after their SolarWinds cover broke.
But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of accessing a single system or account. It is then used to reach other people and transcend many goals. a spy agency This is what is uncertain.
“If this had happened before SolarWinds, we wouldn’t have thought of it. It’s just the context of SolarWinds that makes us see things differently,” said Jason Healey, a former Bush White House staffer and current Internet conflict researcher at Columbia University. “Let’s say this happens in 2019 or 2020. I don’t think anyone will blink at this.”
As Microsoft points out, there is nothing unexpected about Russian spies. and especially Nobelium in particular. targeting government agencies, in particular USAID, NGOs, Think Tanks, research groups, or military and IT service contractors.
“NGOs and DCs have thought tanks were high-value targets for decades,” said a former Department of Homeland Security cybersecurity adviser. “And it’s an open secrecy in the incident response world where USAID and the State Department messed up their IT networks and IT infrastructure. In the past, some of those systems were compromised for years.“
Especially compared to the extent and complexity of the SolarWinds breach, the widespread phishing campaign feels like a downgrade. It’s important to remember that the impact of SolarWinds continues. Even after months of publicity about the incident. It is likely that Nobelium still haunts at least some of the systems that were compromised during that effort.
“I’m sure they are still accessible from some SolarWinds campaigns,” FireEye’s Hultquist said. But it is likely to remain in many places.”
which is just the reality of digital espionage. Not stopping and starting from public humiliation, Nobelium’s activities were absolutely unpleasant. But it doesn’t mean in itself some good leverage.
Additional reporting by Andy Greenberg, this story originally appeared on wired.com.