Russian hackers who Hacked SolarWinds computer management software compromise a a large number of United States government agencies and companies are back in the limelight. Microsoft said Thursday that the same “Nobelium” spy group has been running an aggressive phishing campaign since January this year and dramatically escalated it this week, targeting around 3,000 people in more than 150 organizations in 24 countries. .
The revelation caused a stir, highlighting Russia’s ongoing and entrenched digital spy campaigns. But it shouldn’t come as a shock that Russia in general, and the SolarWinds hackers in particular, continued to spy even after the United States imposed retaliatory sanctions in April. And compared to SolarWinds, a phishing campaign seems quite ordinary.
“I don’t think it’s an escalation, I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at security firm FireEye, who discovered the SolarWinds intrusions. . “I don’t think they’re deterred and I don’t think they’re likely to be deterred.
Russia’s latest campaign is certainly worth noting. Nobelium has compromised legitimate accounts of the Constant Contact mass e-mail service, including that of the United States Agency for International Development. From there, the hackers, believed to be members of the Russian foreign intelligence agency SVR, could send specially crafted spearphishing emails that genuinely came from the organization’s email accounts they were spoofing. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.
Although the number of targets seems large and USAID works with many people in sensitive positions, the real impact may not be as severe as it seems at first glance. Although Microsoft acknowledges that some messages may have been transmitted, the company claims that automated spam systems have blocked many phishing messages. Microsoft’s corporate vice president for customer safety and trust, Tom Burt wrote in a blog post Thursday that the company views the activity as “sophisticated,” and that Nobelium has evolved and refined its strategy for the campaign in the months leading up to this week’s targeting.
“It is likely that these observations represent changes in the acting profession and possible experimentation following widespread revelations of previous incidents,” Burt wrote. In other words, it could be a pivot after their SolarWinds cover has been blown away.
But the tactics of this latest phishing campaign also mirror Nobelium’s general practice of establishing access to one system or account, then using it to gain access to others and jump to many targets. It’s a spy agency; that’s what it does naturally.
“If this had happened before SolarWinds, we wouldn’t have thought about it. It’s only the context of SolarWinds that makes us see it differently, “says Jason Healey, former Bush White House staff member and current Columbia University cyber conflict researcher.” Let’s say this incident occurs in 2019 or 2020, I don’t think anyone is going to blink at that.
As Microsoft points out, there is nothing unexpected about Russian spies, and Nobelium in particular, which target government agencies, USAID in particular, NGOs, think tanks, research groups or military and IT service providers.
“NGOs and DC think tanks have been prime targets for decades,” says a former cybersecurity consultant with the Department of Homeland Security. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable and outsourced networks and IT infrastructure. In the past, some of the these systems have been compromise for years.“
Especially when compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign almost looks like a demotion. It is also important to remember that the impacts of SolarWinds remain permanent; even after months of publicity about the incident, it is likely that Nobelium still haunts at least some of the systems it compromised during this effort.
“I’m sure they still have access to some places thanks to the SolarWinds campaign,” says Hultquist of FireEye. “The main focus of activity has been diminished, but it is very likely that they will persist in several places.”
Which is just the reality of digital espionage. It does not stop and start based on the shame of the public. Nobelium’s activity is certainly undesirable, but in itself it does not bode well for a great escalation.
Additional reporting by Andy Greenberg.
More WIRED stories