Microsoft has warned of an ongoing “sophisticated” cyber attack that is believed to have come from hackers connected to Russia behind the SolarWinds hack. In a blog post, Tom Burt, Microsoft’s vice president of customer security and trust, said the attack appears to be targeting government agencies, think tanks, consultants, and NGOs. In total, it is estimated that about 3,000 email accounts are targeted at 150 organizations. The victims are spread in over 24 countries, but it is believed that the majority are in the United States.
According to Microsoft, a hacker from a threat actor named Nobelium was able to send a real-looking phishing email by compromising an account at the U.S. International Development Organization in a marketing service called Constant Contact. Microsoft’s post contains a screenshot of one of these emails claiming to contain a link to Donald Trump’s “Election Fraud Documents”. However, clicking this link installs a backdoor that allows attackers to steal data or infect other computers on the same network.
In a statement, a spokesperson for Constant Contact said, “We know that the account credentials of one of our customers have been compromised and used by a malicious actor to gain access to the customer’s Constant Contact account. “This is an isolated case, and we temporarily disabled the affected accounts while working with clients working with law enforcement agencies.”
Microsoft believes that many attacks have been automatically blocked and that Windows Defender antivirus software also limits the spread of malware. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency acknowledged Microsoft’s blog post and encouraged managers to apply “needed mitigations”.
These malicious emails are a warning that supply chain cyberattacks against U.S. organizations show no signs of slowing down and that hackers are updating their methods as previous attacks become public. In its post, Microsoft establishes a new international norm governing “the behavior of national states in cyberspace” and calls for expectations of the consequences of violating them.
The U.S. government has accused Russian foreign intelligence agency SVR for hacking SolarWinds. Bloomberg Russian President Vladimir Putin denied Russian intervention. It is estimated that the attack damaged about 100 private companies and 9 federal agencies. It is estimated that up to 18,000 SolarWinds customers have been exposed to malware. In response, President Biden announced new sanctions against Russia and expelled 10 Russian diplomats from Washington. Bloomberg report.