Following a breach of Microsoft’s internal email systems earlier this year, the company warned of a continued “sophisticated” attempt by Russia-based threat actors to target government agencies, think tanks, consultancies, non-governmental organizations, and the company’s worldwide customers.
According to insiders, the organization is known as ‘Nobelium’ is made up of the same Russian-based hackers that were responsible for the catastrophic SolarWinds software attack. Their most recent hack targeted more than 3,000 email accounts across 150 different businesses.
“While the majority of assaults targeted US-based organizations, victims came from at least 24 other nations. At least a quarter of the organizations targeted were engaged in foreign development, humanitarian assistance, or human rights activity.” According to Tom Burt, corporate vice president of security and trust at Microsoft.
“These assaults seem to be a continuation of Nobelium’s previous attempts to gather information by targeting government entities engaged in foreign policy,” Burt said in a statement on Friday.
“Numerous attempts on our customers have been swiftly thwarted, and Windows Defender is now preventing the malware used in this assault. Additionally, we are alerting all of our target clients at the moment “‘ He said.
The assaults started when ‘Nobelium’ gained access to USAID’s Constant Contact account.
Constant Contact is an email marketing company. The attacker was then able to disseminate phishing emails that seemed to be legitimate but had a link that, when clicked, implanted a malicious file that was used to deploy the NativeZone backdoor.
“This backdoor might be used to do a variety of heinous activities, ranging from data theft to infecting other machines on a network,” Microsoft said.
The SolarWinds breach affected nine governmental agencies and around 100 private sector businesses.
Following SolarWinds’ announcement, at least 30,000 organizations in the United States, including government and commercial entities, were targeted earlier this year by a China-based intelligence operation dubbed ‘Hafnium,’ which took advantage of four vulnerabilities in Microsoft Exchange Server email software.
“While Hafnium is headquartered in China, the bulk of its operations is conducted via leased virtual private servers (VPS) in the United States,” Burt said in March.
Concerned about the country’s recurrent cyberattacks, most recently an attack on a critical gasoline pipeline last week, US President Joe Biden issued an executive order this month establishing new cybersecurity rules.