A Russian-based group in the wake of the SolarWinds hacking campaign has launched a new campaign that appears to target government agencies, think tanks and non-governmental organizations, researchers said on Thursday.
The hacker hacker, Microsoft's so-called Nobelium and which is widely believed to be controlled by Russia's Foreign Intelligence Service, or SVR, has launched a recent attack after receiving an email marketing service used by the US Agency for International Development, or USAID, according to Microsoft.
"The attack appears to be a continuation of numerous Nobelium attempts to target government agencies involved in foreign policy as part of efforts to mobilize intelligence," said Tom Burt, Microsoft's vice president of customer security and trust, the blog post wrote.
Colonial pipeline hijackers get $ 90 million in bitcoin before closing
The campaign, which Microsoft calls an active event, targeted 3,000 email accounts of 150 organizations, mostly in the United States, he said. But targets exist in at least 24 countries. At least a quarter of the target organizations are said to be involved in a journey that includes international development and human rights work.
The attempt involved sending criminal emails to steal sensitive information. The company cybersecurity Volexity, which also monitored the campaign but is less visible in email programs than Microsoft, wrote on the blog that the very low levels of criminal email findings suggest that the attacker "may be more successful in breaking the rules."
Russia's Foreign Ministry did not immediately respond to a request for comment. SVR director Sergei Naryshkin once mocked allegations by the U.S. and UK governments that his agency had committed to the entry of SolarWinds.
Microsoft did not say how many attempts there were. It said most emails in the high volume campaign would have been blocked by default programs.
The email campaign has been going on for at least January and has changed due to the waves, according to a separate blog post.
Microsoft said in a blog post on Thursday that the Nobelium stabbing campaign was ongoing. "It is expected that more work can be done by the team using flexible methods," the organization said.
Nobelium, Burt said, logged into a USAID account with Constant Contact, a mass messaging service.
In a statement sent by e-mail, a Constant Contact spokesman said the refund of the USAID account on its platform was "a one-off event" and that the company had temporarily disabled accounts that might have been affected.
On Wednesday, emails that were supposed to look like from USAID were sent, including some with "special warning" and "Donald Trump published new papers on election fraud," Microsoft said.
The email for the theft of sensitive information appears to be from USAID
When users click a link, a malicious file is placed in their system to allow Nobelium access to damaged machines, Microsoft said.
Burt said Microsoft had received the attack through the activities of its intelligence agency which threatened to track down "international actors." He wrote that the company had no reason to believe that there were any risks to its products or services.
The attack on SolarWinds, which was discovered late last year, involved hacking into high-end software by a Texas-based company that has led to the entry of at least nine government agencies and several companies.
Microsoft President Brad Smith called it the "biggest attack the world has ever seen."
Prior to the SolarWinds campaign, SVR was notorious for its crackdown, which made the USAID scam a repatriation of the organization, said John Hultquist, director of intelligence analysis at Mandiant, a cyber security company that also monitored the operation.
“This has changed as SolarWinds is spinning on the ground,” he said. “This is a reminder that espionage does not work. You can't make the Russians stop exploring. ”
Investigations into the incident are ongoing, USAID said in a statement.
"USAID has informed and worked with all relevant government officials, including the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA)," the organization said.
A CISA spokesman said the organization was working "to better understand the scale of the agreement and to assist potential victims."