Security News

Microsoft on Thursday disclosed that the threat actor behind the SolarWinds supply chain hack returned to the threat landscape to target government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S. Some of the entities that were singled out include the U.S. Atlantic Council, the Organization for Security and Co-operation in Europe, the Ukrainian Anti-Corruption Action Center, the EU DisinfoLab, and the Government of Ireland's Department of Foreign Affairs. The attacks leveraged a legitimate mass-mailing service called Constant Contact to conceal its malicious activity and masquerade as USAID, a U.S.-based development organization, for a wide-scale phishing campaign that distributed phishing emails to a variety of organizations and industry verticals.

The group behind the infamous SolarWinds hacks is on another cyberattack spree, this time targeting not just government agencies but others as well. In a report published Thursday, Microsoft revealed that the threat actor Nobelium launched a series of attacks this past week against government agencies, think tanks, consultants, and non-governmental organizations.

The Microsoft Threat Intelligence Center has discovered that the SolarWinds hackers are behind an ongoing spear-phishing campaign targeting government agencies worldwide. "While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries."

The Russia-linked threat group believed to be behind the SolarWinds attack has been observed launching a new campaign this week. The attacks have targeted the United States and other countries, and involve a legitimate mass mailing service and impersonation of a government agency.

Nobelium, the Russia-aligned gang identified as the perpetrators of the supply chain attack on SolarWinds' Orion software, has struck again, Microsoft vice president Tom Burt in a blogpost Thursday. Burt's post says the attacks saw Nobelium gain access to accounts on the email marketing service "Constant Contact" operated by The United States Agency for International Development.

The hackers who carried out the massive SolarWinds intrusion were in the software company's system as early as January 2019, months earlier than previously known, the company's top official said Wednesday. SolarWinds had previously traced the origins of the hack to the fall of 2019 but now believes that hackers were doing "Very early recon activities" as far back as the prior January, according to Sudhakar Ramakrishna, the company's president and CEO. "The tradecraft that the attackers used was extremely well done and extremely sophisticated, where they did everything possible to hide in plain sight, so to speak," Ramakrishna said during a discussion hosted by the RSA Conference.

A Russian spymaster has denied that his agency carried out the infamous SolarWinds supply chain attack in a public relations move worthy of the Internet Research Agency. Sergei Naryshkin, head of the SVR spy agency, made his denial in a BBC interview broadcast on Tuesday.

The United States Cybersecurity and Infrastructure Security Agency has published guidance detailing the steps that organizations affected by the SolarWinds attack should take to ensure they evict the attackers from compromised environments. Tailored for federal agencies that used affected versions of SolarWinds Orion and which discovered adversary activity within their environments, the newly published analysis report, AR21-134A, details resource-intensive and highly complex steps that will require disconnecting the enterprise network from the internet for three to five days.

SolarWinds' chief exec has described the 18,000 customers who downloaded backdoored versions of its Orion software as a "Very small" number while giving a speech to an infosec event. "Although the number of affected customers is very small, that we eventually discovered, it is still a very important thing to discover, because this is a unique and very novel attack on the supply chain of a company," said Ramakrishna in his opening remarks - adding that "None of our source code control systems were tampered with."

Texas-based IT management company SolarWinds on Friday shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked. Initial reports said more than 250 organizations were actually breached, but the U.S. government later said that it had identified roughly 100 private sector companies and 9 federal agencies whose systems were targeted by the attackers.