Microsoft has issued a warning about a “sophisticated” ongoing cyberattack believed to be the work of the same Russia-linked hackers responsible for the SolarWinds hack. In a blog post, Microsoft’s corporate vice president for customer security and trust, Tom Burt, stated that the attack appears to be targeting government agencies, think tanks, consultants, and non-governmental organizations (NGOs).
Around 3,000 email accounts are thought to have been targeted across 150 organizations in total. Victims have been reported in as many as 24 countries, with the majority believed to be in the United States.
According to Microsoft, hackers from the threat actor Nobelium were able to compromise the account of the US Agency for International Development on the marketing service Constant Contact, allowing them to send authentic-looking phishing emails.
Microsoft’s post includes a screenshot of one of these emails, which purported to contain a link to Donald Trump’s “documents on election fraud.” When this link was clicked, however, a backdoor was installed, allowing the attackers to steal data or infect other computers on the same network.
“We are aware that one of our customers’ account credentials were compromised and used by a malicious actor to access the customer’s Constant Contact accounts,” a Constant Contact spokesperson said in a statement.
“This is an isolated incident, and we have temporarily disabled the affected accounts while we work with our customer, who is assisting law enforcement.”
Microsoft claims that many of the attacks were automatically blocked and that its Windows Defender antivirus software is also limiting the spread of the malware.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency acknowledged Microsoft’s blog post and encouraged administrators to implement the “necessary mitigations.”
This barrage of malicious emails serves as a reminder that supply chain cyberattacks against US organizations are not abating, and that hackers are adapting their tactics in response to previous attacks becoming public. In its post, Microsoft calls for the establishment of new international norms governing “nation-state conduct in cyberspace,” as well as expectations of the consequences of breaking them.
According to Bloomberg, the US government blamed SVR, Russia’s foreign intelligence service, for the SolarWinds hack, despite Russia’s president, Vladimir Putin, denying Russian involvement. The attack is thought to have compromised approximately 100 private-sector companies and nine federal agencies.
The malicious code is thought to have infected up to 18,000 SolarWinds customers. As a result, President Biden announced new sanctions against Russia and moved to expel ten Russian diplomats from Washington, according to Bloomberg.