SolarWinds hackers are back with a new mass campaign, Microsoft says
The Kremlin-backed hackers who targeted SolarWinds customers in a supply chain attack have been caught conducting a malicious email campaign that delivered malware-laced links to 150 government agencies, research institutions and other organizations in the US and 23 other countries, Microsoft said.
The hackers, belonging to Russia’s Foreign Intelligence Service, first managed to compromise an account belonging to USAID, a US government agency that administers civilian foreign aid and development assistance. With control of the agency’s account for online marketing company Constant Contact, the hackers had the ability to send emails that appeared to use addresses known to belong to the US agency.
“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft Vice President of Customer Security and Trust Tom Burt wrote in a post published on Thursday evening. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
Further ReadingBizarre old-school spyware attacks governments, sports Mark of the BeastThe campaign was carried out by a group that Microsoft calls Nobelium and is also known as APT29, Cozy Bear, and the Dukes. Security firm Kaspersky has said that malware belonging to the group dates back to 2008, while Symantec has said the hackers have been targeting governments and diplomatic organizations since at least 2010. There's more about the off-kilter and old-school coding characteristics of this group here.
