Hackers responsible for the intrusion on SolarWinds, which have been linked to Russia’s intelligence services, are now reported to have compromised an email system used by the U.S. State Department’s international aid agency, USAID. The breach in the email system is reported to have compromised the computer networks of human rights organizations and various U.S. government agencies.
Newsweek reports that Microsoft’s disclosure of the breach comes just weeks before President Joe Biden is set to meet Russian President Vladimir Putin in Geneva, Switzerland. In a blog post on Thursday, Microsoft said that it discovered a “wide-scale malicious email campaign” operated by Nobelium, a Russian hacking group responsible for the attack on SolarWinds and its customers last year.
NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.
The company states that it has been monitoring the hacking campaign since January, which has evolved over a series of waves “demonstrating significant experimentation” on part of the hackers. The campaign escalated on May 25, when Nobelium used a marketing account used by USAID to launch spear phishing attacks on numerous organizations to gain access to their data.
The latest attack targeted around 3,000 individual accounts across 150 organizations and originated from authentic USAID email addresses, Microsoft said.
Microsoft lists the attack as an “active incident” and urged organizations to investigate and monitor communications that match the characteristics of the attack described in the report. The company also prescribed a list of actions to help systems and network administrators deal with the ongoing issue.
The attack from Nobelium comes only weeks after a portion of the United States gas infrastructure was shut down when hackers from a group calling itself DarkSide hit Colonial Pipeline with a ransomware attack.