Russian hacker WHO Violation of SolarWinds IT management software Compromise one A large number of U.S. government agencies and companies Become the focus of everyone’s attention again. Microsoft said on Thursday that the same “Nobelium” spy organization has launched a radical phishing campaign since January this year, and it has been significantly strengthened this week, targeting approximately 3,000 people in more than 150 organizations in 24 countries/regions.
The news caused a sensation, highlighting Russia’s ongoing and deep-rooted digital espionage activities. However, in general, it should not be surprising that Russia, and SolarWinds hackers in particular, continued to conduct espionage even after the incident. U.S. imposes retaliatory sanctions In April. Compared to SolarWinds, phishing activities seem very common.
“I don’t think this is an upgrade, I think it’s business as usual,” said John Hultquist, vice president of intelligence analysis at FireEye, the security company that first discovered the SolarWinds intrusion. “I don’t think they are intimidated, and I don’t think they will be intimidated.”
The latest movement in Russia is certainly worth mentioning. Nobelium stole the legitimate accounts of Constant Contact, a mass email service, including those of the U.S. Agency for International Development. From there, hackers purported to be members of the Russian SVR foreign intelligence agency can send specially crafted spear-phishing emails that actually come from the email accounts of their fake organization. These emails contain legitimate links, which are then redirected to the malicious Nobelium infrastructure and install malware to control the target device.
Although the number of targets seems large, and the United States Agency for International Development works with many people in sensitive positions, the actual impact may not be as severe as it first sounds. Although Microsoft acknowledges that some emails may have passed, the company said that automated spam systems have prevented many phishing emails.Tom Burt, Microsoft’s corporate vice president responsible for customer safety and trust, wrote in an article Blog post On Thursday, the company considered the event to be “complex”, and in the months leading up to this week’s target positioning, Nobelium has continuously developed and refined its campaign strategy.
Peter wrote: “These observations are likely to represent changes in the actor’s craftsmanship and possible experiments after the previous incident was widely disclosed.” In other words, this may be after their SolarWinds cover was blown up. A fulcrum.
But the strategy in this latest phishing campaign also reflects Nobelium’s general practice of establishing access rights on one system or account, and then using it to access other systems or accounts and across multiple goals. This is a spy agency; this is a matter of course.
“If this happened before SolarWinds, we wouldn’t have thought of it. It’s just the background of SolarWinds that makes us think differently,” said Jason Healey, a former Bush White House staff member and current cyber conflict researcher at Columbia University. “Assuming this happens in 2019 or 2020, I don’t think anyone will wink over this.”
As Microsoft pointed out, there is nothing unexpected about Russian spies, especially Nobelium, targeting government agencies, especially the United States Agency for International Development, NGOs, think tanks, research groups, or military and IT service contractors.
“NGOs and Washington think tanks have been high-value soft targets for decades,” said a former cybersecurity adviser at the Department of Homeland Security. “Also in the field of incident response, the United States Agency for International Development and the State Department are a bunch of irresponsible subcontracting IT networks and infrastructure. This is an open secret. In the past, some Those systems Yes Compromised for many years.“
Especially when compared to the scope and complexity of the SolarWinds vulnerability, the widespread phishing campaign feels almost like a downgrade. It is also important to remember that the impact of SolarWinds is still ongoing; even after months of publicity about the incident, Nobelium is likely to still be haunting at least some of the systems that it compromised during that effort.
“I’m sure they can still gain access through SolarWinds activities in some places,” said Hultquist of FireEye. “The main driving force of the activity has weakened, but they are likely to linger in several places.”
This is the reality of digital espionage. It will not stop and start based on public humiliation. Nobelium’s activities are of course unpopular, but it does not in itself herald some major upgrades.
Additional reporting by Andy Greenberg.
More exciting connection stories