Security News

The group behind the infamous SolarWinds hacks is on another cyberattack spree, this time targeting not just government agencies but others as well. In a report published Thursday, Microsoft revealed that the threat actor Nobelium launched a series of attacks this past week against government agencies, think tanks, consultants, and non-governmental organizations.

The Microsoft Threat Intelligence Center has discovered that the SolarWinds hackers are behind an ongoing spear-phishing campaign targeting government agencies worldwide. "While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries."

The Russia-linked threat group believed to be behind the SolarWinds attack has been observed launching a new campaign this week. The attacks have targeted the United States and other countries, and involve a legitimate mass mailing service and impersonation of a government agency.

Nobelium, the Russia-aligned gang identified as the perpetrators of the supply chain attack on SolarWinds' Orion software, has struck again, Microsoft vice president Tom Burt in a blogpost Thursday. Burt's post says the attacks saw Nobelium gain access to accounts on the email marketing service "Constant Contact" operated by The United States Agency for International Development.

The hackers who carried out the massive SolarWinds intrusion were in the software company's system as early as January 2019, months earlier than previously known, the company's top official said Wednesday. SolarWinds had previously traced the origins of the hack to the fall of 2019 but now believes that hackers were doing "Very early recon activities" as far back as the prior January, according to Sudhakar Ramakrishna, the company's president and CEO. "The tradecraft that the attackers used was extremely well done and extremely sophisticated, where they did everything possible to hide in plain sight, so to speak," Ramakrishna said during a discussion hosted by the RSA Conference.

A Russian spymaster has denied that his agency carried out the infamous SolarWinds supply chain attack in a public relations move worthy of the Internet Research Agency. Sergei Naryshkin, head of the SVR spy agency, made his denial in a BBC interview broadcast on Tuesday.

The United States Cybersecurity and Infrastructure Security Agency has published guidance detailing the steps that organizations affected by the SolarWinds attack should take to ensure they evict the attackers from compromised environments. Tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments, the newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days.

SolarWinds' chief exec has described the 18,000 customers who downloaded backdoored versions of its Orion software as a "Very small" number while giving a speech to an infosec event. "Although the number of affected customers is very small, that we eventually discovered, it is still a very important thing to discover, because this is a unique and very novel attack on the supply chain of a company," said Ramakrishna in his opening remarks - adding that "None of our source code control systems were tampered with."

Texas-based IT management company SolarWinds on Friday shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked. Initial reports said more than 250 organizations were actually breached, but the U.S. government later said that it had identified roughly 100 private sector companies and 9 federal agencies whose systems were targeted by the attackers.

Agencies in the United States and the United Kingdom on Friday published a joint report providing more details on the activities of the Russian cyberspy group that is believed to be behind the attack on IT management company SolarWinds. The FBI, NSA, CISA and the UK's NCSC say the Russian threat actor tracked as APT29 was behind the SolarWinds attack, which resulted in hundreds of organizations having their systems breached through malicious updates served from compromised SolarWinds systems.