The Russian-based group behind the SolarWinds hack has launched a new campaign that appears to target government agencies, think tanks and nongovernmental organizations, researchers said Thursday.
The prolific hacker group, which Microsoft refers to as Nobelium and is widely believed to be run by Russia’s Foreign Intelligence Service, or SVR, launched the current attacks after getting access to an email marketing service used by the U.S. Agency for International Development, or USAID, according to Microsoft.
"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," Tom Burt, Microsoft vice president of customer security and trust, wrote in a blog post.
The campaign, which Microsoft called an active incident, targeted 3,000 email accounts across 150 organizations, mostly in the United States, he said. But the targets are in at least 24 countries. At least a quarter of the targeted organizations are said to be involved in missions including international development and human rights work.
The effort involved sending phishing emails. Cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, wrote in a blog post that relatively low detection rates of the phishing emails suggest the attacker was “likely having some success in breaching targets.”
The Russian Ministry of Foreign Affairs didn't immediately respond to a request for comment. SVR Director Sergei Naryshkin has previously mocked the U.S. and the U.K. governments' claims that his agency was responsible for the SolarWinds hack.
Microsoft did not say whether or how many attempts were successful. It said many emails in the high-volume campaign would have been blocked by automated systems.
The email campaign has been going on since at least January and evolved over waves, it said in a separate blog post.
Microsoft said in Thursday's blog that Nobelium's spearphishing campaign is ongoing. "It is anticipated that additional activity may be carried out by the group using an evolving set of tactics," it said.
Nobelium, Burt said, accessed the USAID's account with Constant Contact, a mass-mailing service.
In an emailed statement, a spokesperson for Constant Contact said that the compromise of USAID’s account on its platform was “an isolated incident” and that the company has temporarily disabled accounts that may have been impacted.
On Tuesday, emails were sent that were meant to look like they were from USAID, including some that read "special alert" and "Donald Trump has published new documents on election fraud," Microsoft said.
If users click the link, a malicious file gets installed in their system that allows Nobelium access to the compromised machines, Microsoft said.
Burt said Microsoft detected the attack through the work of its threat intelligence center in tracking "nation-state actors." He wrote that the company has no reason to believe there is a vulnerability with its products or services.
The SolarWinds attack, which was discovered late last year, involved hacking widely used software made by the Texas-based company and lead to the infiltration of at least nine federal agencies and dozens of companies.
Microsoft President Brad Smith called it "the largest and most sophisticated attack the world has ever seen."
Before the SolarWinds campaign, the SVR was more widely known for spearphishing campaigns, making the USAID scam something of a return to form for the agency, said John Hultquist, the director of intelligence analysis at Mandiant, a cybersecurity company that also tracked the campaign.
“This spun up as SolarWinds spun down,” he said. “This is a reminder that espionage isn’t going away. You’re not going to get the Russians to stop spying.”
A forensic investigation into the incident is ongoing, USAID said in a statement.
"USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA)," the agency added.
A CISA spokesperson said the agency is working with the FBI to address the "malicious activity" and has not yet "identified significant impact on federal government agencies resulting from these activities."
"CISA continues to work with the FBI to understand the scope of these activities and assist potentially impacted entities. While many organizations have controls in place to block malicious emails and prevent associated impacts, we encourage all organizations to review our Activity Alert and take steps to reduce their exposure to these types of threats," the spokesperson said in a statement.
CORRECTION (May 28, 2021, 5:45 p.m. ET) An earlier version of this article misstated when the phishing emails were sent. They were sent Tuesday, not Wednesday.