Russian group behind SolarWinds hack shows up again

Sheila Zabeu -

May 28, 2021

The alert comes from Microsoft. Nobelium, the group responsible for attacks involving SolarWinds customers, carried out another phishing attack this week, this time against the US and foreign government agencies, NGOs, and think tanks using an email marketing account from the US Agency for International Development (USAID).

The wave of attacks targeted about 3,000 email accounts in more than 150 different organizations in 24 countries, predominantly the United States. According to Microsoft, these attacks appear to continue the group’s efforts to target government agencies for the purpose of gathering intelligence information.

The phishing emails sent by Nobelium contained a link that, when clicked, executed a file to distribute a backdoor called NativeZone. Through this entry, actions such as data theft and contamination of others on the network were carried out. According to Microsoft, this campaign differs significantly from the Nobelium operations conducted between September 2019 to January 2021. More details on this issue are available insecurity/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" rel="noopener"> a blog from the Microsoft Threat Intelligence Center (MSTIC).

In Microsoft’s view, it is clear that the Nobelium group’s aim is to gain access to major technology companies, infect their customers, and thus undermine confidence in the technology ecosystem. In the case of SolarWinds, it took advantage of software updates and has now used mass emails to attack humanitarian and human rights organizations.

Microsoft claims that many targeted attacks were blocked automatically. As a high volume of emails was distributed in this particular campaign conducted by Nobelium, most messages with malicious content were marked as spam. Furthermore, Microsoft points out that Windows Defender is able to block the malware involved in this attack. However, it recommends ways to mitigate the impacts of this attack also on the MSTIC blog.