Russian SolarWinds hackers launch email attack on government agencies

The state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted phishing assault on US and foreign government agencies and thinktanks this week using an email marketing account of the US Agency for International Development (USAid), Microsoft has said.

The effort targeted about 3,000 email accounts at more than 150 different organisations, at least a quarter of them involved in international development, humanitarian and human rights work, the Microsoft vice-president Tom Burt wrote in a blog post late on Thursday.

It did not say what portion of the attempts may have led to successful intrusions. The cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of the phishing emails suggested the attacker was “likely having some success in breaching targets”.

Microsoft identified the group carrying out the attacks as Nobelium, originating from Russia and the same actor behind the attacks on SolarWinds customers in 2020.

Burt said the campaign appeared to be a continuation of multiple efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence-gathering efforts”. He said the targets spanned at least 24 countries.

The hackers gained access to USAid’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails dated 25 May purported to contain new information on 2020 election fraud claims and included a link to malware that allowed the hackers to “achieve persistent access to compromised machines”.

Microsoft said in a separate blogpost that the campaign was ongoing and evolved out of several waves of spear-phishing campaigns it first detected in January that escalated to the mass mailings of this week.

It comes weeks after a 7 May ransomware attack on Colonial Pipeline shut the US’s largest fuel pipeline network for several days, disrupting supply.

The SolarWinds hack began as early as March 2020 when malicious code was sneaked into updates to popular software called Orion, made by the company, which monitors the computer networks of businesses and governments for outages. That malware gave elite hackers remote access to an organisation’s networks so they could steal information.


What was the SolarWinds hack?


In early 2020, malicious code was sneaked into updates to a popular piece of software called Orion, made in the US by the company SolarWinds, which monitors the computer networks of businesses and governments for outages.

That malware gave hackers remote access to an organisation’s networks so they could steal information. Among the most high-profile users of the software were US government departments including the Centers for Disease Control and Prevention, the state department, and the justice department.

Described by the Microsoft president, Brad Smith, as “the largest and most sophisticated attack the world has ever seen”, US intelligence agencies have accused Russia of launching the attack.

SolarWinds, of Austin, Texas, provides network monitoring and other technical services to hundreds of thousands of organisations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.

Its compromised product, Orion, is a centralised monitoring tool that looks for problems in an organisation’s computer network, which means that breaking in gave the attackers a “God view” of those networks.

Neither SolarWinds nor US cybersecurity authorities have publicly identified which organisations were breached. Just because a company or agency uses SolarWinds as a vendor does not necessarily mean it was vulnerable to the hack.

Kari Paul and Martin Belam

The hacking campaign, which infiltrated dozens of private sector companies and thinktanks as well as at least nine US government agencies, was supremely stealthy and went on for most of 2020 before being detected in December by the cybersecurity firm FireEye. By contrast, this new campaign is what cybersecurity researchers call noisy and easy to detect.

Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider’s software updates; this campaign piggybacked on a mass email provider. With both methods, the company said, the hackers undermine trust in the technology ecosystem.

The Microsoft president, Brad Smith, has previously described the SolarWinds attack as “the largest and most sophisticated attack the world has ever seen”.

This month, Russia’s spy chief denied responsibility for the SolarWinds attack but said he was “flattered” by the accusations from the US and Britain that Russian foreign intelligence was behind such a sophisticated hack.

The US and Britain have blamed Russia’s foreign intelligence service), successor to the foreign spying operations of the KGB, for the hack.

Associated Press and Reuters contributed to this report