Microsoft: Nobelium Cyberattackers Targeting Governments, NGOs

Cyberattack

Microsoft said this week that the group behind the cyberattacks on SolarWinds customers last year has turned its focus on government agencies, think tanks and NGOs.

Nobelium this week targeted roughly 3,000 email accounts at more than 150 different organizations across 24 countries, with at least a quarter of the targets involved in human rights work, humanitarian efforts or international development, Microsoft said in a blog post.

“Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020,” wrote Tom Burt, Microsoft’s vice president for customer security and trust. “These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence-gathering efforts.”

The group carried out its attacks after getting access to USAID’s Constant Contact email marketing service and distributing phishing emails that “looked authentic, but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” the post said. Once that door was open, the attackers had free rein to do things like steal data or infect other computers within a network. Microsoft said that many attacks were automatically blocked, and that targeted customers have been notified.

Burt wrote that the attacks were notable for a few reasons. “First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”

Beyond that, it’s another indication of how cyberattackers tailor their attacks for the country in which they operate, and that cyberattacks on nations aren’t slowing.

Burt’s comments come almost two months after The Department of Homeland Security announced a series of “cybersprints” to deal with ransomware, a problem that cost American companies more than $29 million last year.