Microsoft Says Russian Hackers Behind SolarWinds Currently Attacking Targets in 24 Countries

Microsoft Says Russian Hackers Behind SolarWinds Currently Attacking Targets in 24 Countries
Russian President Vladimir Putin makes a video message to the participants of the Russian Congress on Pediatric Oncology on May 27, 2021. (Photo: Sergei ILYIN / Sputnik / AFP, Getty Images)

The hackers behind the massive SolarWinds attack are currently trying to access the email systems of thousands in western governments, think tanks, and NGOs that may be opposed to the Russian government, according to a warning released late Thursday night by Microsoft.

The hackers, dubbed Nobelium by researchers, have targeted roughly 3,000 email accounts at more than 150 organisations, according to Microsoft. The hacking attempts were first identified in January of this year but they’re ongoing, according to the company.

“While organisations in the United States received the largest share of attacks, targeted victims span at least 24 countries,” Microsoft said in a statment. “At least a quarter of the targeted organisations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020.”

One of the targets, according to Microsoft, was the Constant Contact account of the U.S. Agency for International Development (USAID), which is ostensibly designed for administering foreign aid and encouraging business development around the world.

“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft explained.

“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Microsoft’s statement continued.

Why would Russia want to go after USAID? Well, the agency has sometimes been used as an instrument of regime change, like when USAID secretly created a text-based version of Twitter for Cuba in 2010 during an effort to sow anger at the country’s leader Fidel Castro. The Associated Press broke that story in 2014 and Castro died in 2016.

But officially, Microsoft gave three reasons for the recent attacks:

First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organisations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organisations involved in vaccines. In 2019, Strontium targeted sporting and anti-doping organisations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organisations.

Third, nation-state cyberattacks aren’t slowing. We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules. We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.

The SolarWinds hack was one of the worst attacks on computers in the U.S., dropping malicious code in some of the most sensitive computer systems run by the U.S. government and its contractors. Most people believe the SolarWinds attack was executed at the behest of Russian president Vladimir Putin, and Microsoft isn’t being very subtle with their new statement about who’s behind this latest attack.

Nobelium is coming for critics of Putin and they’re not giving up, at least if you believe Microsoft, which shouldn’t be a surprise. It’s just another day in the New Cold War.