Microsoft Corp. says a Russia-linked hacking group has targeted more than 150 organizations in a phishing campaign with malicious emails disguised as messages from the United States Agency for International Development.

The campaign was detected and detailed late Thursday by researchers from Microsoft’s MSTIC unit, which tracks nation-state cyberattacks. The researchers have determined that the targeted organizations included government agencies, think tanks, consultants and nongovernmental organizations. 

Microsoft refers to the hacking group behind the phishing emails as Nobelium. “Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020,”  Tom Burt, Microsoft’s vice president for customer security and trust, wrote in a blog post detailing the phishing campaign. The White House stated in April that the SolarWinds hack was carried out by Russia’s foreign intelligence service.

In the latest cyberattack detailed by Microsoft, Nobelium compromised USAID’s Constant Contact account to send malicious emails to targets. Constant Contact is a widely used online marketing platform operated by a firm of the same name. 

“We are aware that a bad actor accessed one of our customer’s account credentials to send malicious emails,” Constant Contact Inc. said in a statement today. “This appears to be an isolated incident. We have temporarily disabled the impacted accounts, and are collaborating with the customer as they work with law enforcement.”

According to Microsoft, the hacking group used the breached account to send malicious emails made to look like legitimate USAID messages to about 3,000 email accounts across more than 150 organizations.

“While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries,” Burt wrote. “At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

The malicious emails contained a link that, when clicked, downloaded malware onto users’ machine. The malware, in turn, used a backdoor dubbed NativeZone that allowed it steal data from compromised computers and infect other systems on the same network.

The researchers believe that most of the malicious messages were filtered by email security systems. Moreover, Windows Defender, the native anti-malware engine in Windows, is now also blocking the malware used in the phishing campaign. Microsoft is currently in the process of notifying customers that have been targeted by Nobelium.

“The NOBELIUM campaign observed by MSTIC and detailed in this blog differs significantly from the NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform,” MSTIC researchers detailed in a technical blog post.  “It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents.”

The disclosure of the phishing campaign comes weeks after President Joe Biden signed an executive order to impose an array of sanctions on Russia for interfering in the 2020 presidential election, carrying out the SolarWinds hacking campaign and other actions. As part of the move, the U.S. hit 32 entities and individuals with sanctions and placed restrictions on buying Russian sovereign debt.

Photo: Unsplash