The Russian pirates who violated SolarWinds computer management software compromise a a crowd of U.S. government agencies and businesses they are back in the center. Microsoft said Thursday that the same spy group “Nobelium” has been building an aggressive phishing campaign since January of this year and has increased significantly this week, targeting about 3,000 individuals in more than 150 organizations in 24 countries.
The revelation caused a stir, highlighting how it has led Russia’s ongoing and inveterate digital espionage campaigns. But it should come as no surprise that Russia in general, and the SolarWinds pirates in particular, have continued to spy even after The US imposes revenge sanctions of April. And relative to SolarWinds, a phishing campaign seems downright ordinary.
“I don’t think it’s an escalation, I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis for security firm FireEye, which first discovered the SolarWinds intrusion. . “I don’t think they’re deterred and I don’t think they’re likely to be deterred.”
Russia’s latest campaign is certainly worth calling. Nobelium has compromised legitimate accounts from the Constant Contact mass e-mail service, including that of the United States Agency for International Development. From there, the hackers, members of the Russian foreign intelligence agency SVR, were able to send specially created spearphishing emails that actually came from the email accounts of the organization they were impersonating. The emails included legitimate links that were then redirected to Nobelium’s malicious infrastructure and installed malware to take control of the target devices.
While the number of targets seems large, and USAID works with many people in sensitive positions, the actual impact may not be as severe as it first sounds. While Microsoft acknowledges that some messages may have passed, the company says automated spam systems have blocked many of the phishing messages. Microsoft’s corporate vice president for security and customer trust Tom Burt wrote in a blog post Thursday that the company sees the activity as “sophisticated,” and that Nobel has evolved and refined its strategy for the campaign for months ahead of this week’s targeting.
“It is likely that these observations represent changes in the actor’s traditional activity and possible experimentation after widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after its SolarWinds coverage has been blown away.
But the tactics of this latest phishing campaign also reflect Nobel’s general practice of establishing access to a system or account and then using it to access others and jump to numerous goals. It is a spy agency; this is what it does for sure.
“If this happened before SolarWinds we wouldn’t have thought of anything. It’s just the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyber-conflict researcher at the University of Columbia. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to take a look at that.”
As Microsoft points out, there is still nothing unexpected about Russian spies, and in particular the Nobel Prize, intended for government agencies, in particular USAID, NGOs, research groups. , to research groups, or to military and IT service contractors.
“NGOs and DC think tanks have been pretty high-value targets for decades,” says a former Department of Homeland cybersecurity consultant. “And it’s an open secret in the world of incident response that USAID and the State Department are a disorder of unacceptable subcontracted computer networks and infrastructure. In the past, some of those systems they were trade off for years.“
Especially compared to the scope and sophistication of SolarWinds ’breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that SolarWinds ’impacts remain ongoing; even after months of publicity about the incident, it is likely that Nobel will still pursue at least some of the systems it compromised during this effort.
“I’m sure they still have access in some places from the SolarWinds campaign,” says FireEye’s Hultquist. “The main reason for the activity has been diminished, but they are very likely to persist in many places.”
That is just the reality of digital espionage. It does not stop and begins based on public shame. Nobelium’s activity is certainly not welcome, but it does anticipate in itself a grand escalation.
Additional reports from Andy Greenberg.
More Great Stories WIRED