SolarWinds hackers launch phishing attack

The threat actors behind the SolarWinds attacks have launched a wide-scale email phishing campaign, according to Microsoft. In some cases, the attackers disguised their phishing emails to look as though they came from the U.S. Agency for International Development.

The group, which Microsoft calls Nobelium, historically targets government organizations, think tanks, military, IT service providers, health technology and research institutions and telecommunications companies, according to Microsoft's blog post. The company's threat intelligence team has been tracking the group's email campaign since early this year.

On May 25 Nobelium leveraged Constant Contact, a legitimate mass-mailing service, to “distribute malicious URLs to a wide variety of organizations and industry verticals," Microsoft wrote.

Nobelium allegedly targeted around 3,000 accounts of individuals at 150 different organizations. Most, but not all, of those emails were likely blocked and marked as spam. Microsoft also wrote the notable changes in Nobelium's tactics likely reflect the group's desire and ability to evolve its tradecraft since its campaign against SolarWinds was discovered in 2020.

The Cybersecurity and Infrastructure Security Agency published a short alert May 28 notifying public and private companies of Microsoft's discovery.

"May this serve as a reminder that espionage is unlikely to be deterred," John Hultquist, an executive at FireEye, tweeted on Friday of the campaign. "A loud operation following on the heels of SolarWinds is not an act of contrition."

This article was first posted to FCW, a sibling site to Defense Systems.