SolarWinds hackers Nobelium targeting government agencies, NGOs and think tanks

About 3,000 email accounts at more than 150 different organisations were targeted in the latest attacks from Nobelium

The cyber actors behind the massive SolarWinds hack identified last year have been targeting government agencies, NGOs, think tanks, and consultants in multiple countries, Microsoft has warned.

Researchers at the Microsoft Threat Intelligence Center (MSTIC) recently observed a new wave of cyber attacks from the Nobelium group.Nobelium (also known as UNC2452, Dark Halo, SolarStorm, and StellarParticle) is believed to be a Russian government-sponsored threat group.

The threat actors hijacked an electronic mail system used by the United States Agency For International Development (USAID) and then exploited it to launch phishing attacks on other organisations.

After gaining access to the Constant Contact account of USAID, the attackers sent phishing messages that looked completely authentic.

Those messages also contained a link, which when clicked by the recipients, downloaded a malicious document used to distribute the NativeZone backdoor.

About 3,000 email accounts at more than 150 different organisations were targeted in the latest attacks from Nobelium. Entities in at least 24 countries were targeted, although US organisations were mostly frequently hit, according to Microsoft.

Tom Burt, Microsoft's corporate vice president for customer security, said in a blog post: "We've previously disclosed activity by Strontium and other actors targeting major elections in the US and elsewhere."

"This is yet another example of how cyber attacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organisations."

Burt added that the company is notifying all customers who were targeted by threat actors.

"We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft's products or services," Burt said.

The fresh wave of attacks from Nobelium appears to be a continuation of intelligence gathering efforts by Russian threat actors.

The massive SolarWinds hack targeting US organisations was disclosed in December, after the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were found to have been compromised in a massive cyber campaign.

At least nine federal agencies and dozens of private firms were hacked in these attacks.

Cyber security firm FireEye revealed that attackers launched attacks after compromising SolarWinds' network monitoring software Orion. They inserted "malicious code into legitimate software updates for the Orion software" which allowed them remote access into the victim's environment.

Microsoft said that the hackers were able to access some of its source code, although they could not make any changes to it.

The networking equipment maker Cisco also said that nearly two dozen computer systems used by Cisco researchers in the company lab were compromised through SolarWinds-related malware.

Last month, the US Treasury Department sanctioned six Russian technology firms for aiding government hackers engaged in "dangerous and disruptive cyber attacks".

The Department said that the sanctioned firms were developing infrastructure and tools, providing expertise, and carrying out malicious cyber activities on behalf of Kremlin Intelligence Services.

The US also formally named Russia's SVR, a successor to the Soviet KGB, as being behind the SolarWinds attacks.