TECH Microsoft said that Nobelium, a Russian-based hacking group, launched the phishing campaign by gaining access to a marketing account of USAID.

[Melodi]

I thought what happened in Ireland at the HSE might be a "trial run" for targeting government agencies in the US in States and larger countries - I realize this is officially connected to the Solar Wind attack on the pipeline, but I thought it was important enough to do a stand-alone post since they are now targeting governments and other organizations in the US. This information is coming out from Mircosoft, but I hope we will get other sources soon - MelodiSolarWinds hackers are at it again, targeting 150 organizations, Microsoft warns

SolarWinds hackers are at it again, Microsoft says

Microsoft said that Nobelium, a Russian-based hacking group, launched the phishing campaign by gaining access to a marketing account of the U.S. Agency for International Development.

www.nbcnews.com

Microsoft said that Nobelium, a Russian-based hacking group, launched the phishing campaign by gaining access to a marketing account of USAID.
Government Shutdown Drags Into Third Week With No Resolution

May 28, 2021, 7:11 AM BST
By Phil Helsel and Ezra Kaplan
The Russian-based group behind the SolarWinds hack has launched a new campaign that appears to target government agencies, think tanks and non-governmental organizations, Microsoft said Thursday.

Nobelium launched the current attacks after getting access to an email marketing service used by the United States Agency for International Development, or USAID, according to Microsoft.

"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," Tom Burt, Microsoft vice president of customer security and trust, wrote in a blog post.

The campaign, which Microsoft called an active incident, targeted 3,000 email accounts across 150 organizations, mostly in the United States, Burt said. But the targets are in at least 24 countries. At least a quarter of the targeted organizations are said to be involved in things like international development and human rights work.

The effort involved sending phishing emails that were made to look legitimate but designed to deliver malicious files.

Cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, wrote in a post that relatively low detection rates of the phishing emails suggest the attacker was “likely having some success in breaching targets,” the Associated Press reported.

Microsoft did not say whether or how many attempts were successful. It said many emails in the high-volume campaign would have been blocked by automated systems.

The email campaign has been going on since at least January and evolved over waves, Microsoft said in a separate blog post.

 

[Housecarl]

You would think that everything of concern would have been physically unplugged from the net by now, but convenience always seems to trump security.

 

[Plain Jane]

Zerohedge

ZeroHedge - On a long enough timeline, the survival rate for everyone drops to zero

www.zerohedge.com

Microsoft Claims It Has Found Evidence Of Another Russian-Backed Government Hack

BY TYLER DURDEN
FRIDAY, MAY 28, 2021 - 08:10 AM
Hackers have made some serious strides in their ability to circumvent corporate system protections in recent years, which is one reason we have seen so many high-profile incidents, including the Colonial Pipeline hack (which further emboldened shadowy criminal groups around the world after the company paid a nearly $5 million ransom). But while the world waits for the US government to hold the shadowy group, known as Darkside, accountable, Microsoft warned in a blog post published Friday morning that it has discovered evidence of another massive government hack that's already underway.

In a blog post published Friday, Microsoft Vice President Tom Burt said this past week’s attack (which is still ongoing) has granted access to about 3K email accounts at more than 150 organizations by infiltrating a digital marketing service used by the US Agency for International Development (USAID) called Constant Contact.


The hackers distributed phishing emails, among them “Special Alerts,” declaring that former President Trump had published new documents on election fraud, and inviting users to view them.

The hackers that infiltrated software vendor Solarwinds succeeded in what Microsoft described as one of the worst data breaches ever to hit the US government. Now, this new cyberattack has infiltrated more than 150 government agencies, think tanks and other organizations. And according to Microsoft, it was carried out by the same people.

This group, which Microsoft calls "Nobelium" is believed to be linked to the same Russian government agency that backed the Solarwinds attack, though Microsoft didn't say much about their reasons for arriving at this conclusion.

While there was no ransomware component to the Solarwinds hack, Microsoft said that at least 25% of the targets of this week's attacks were involved in international development, humanitarian, and human rights work, across at least 24 countries. This suggests the group is more interested in "intelligence gathering efforts" than corporate sabotage.

"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," the company said.

The US government said last month that SolarWinds was the work of SVR, the Russian foreign intelligence service, and said it also went by the names of APT29, which UK intelligence says spent much of last year hacking foreign governments for vaccine research, and Cozy Bear, which was allegedly involved in the 2016 hack of the DNC.

Read Microsoft's complete blog post below:

This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.

Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network. You can read more about the technical aspects of these attacks in this blog post from the Microsoft Threat Intelligence Center (MSTIC).

Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack. We’re also in the process of notifying all of our customers who have been targeted. We detected this attack and identified victims through the ongoing work of the MSTIC team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.

These attacks are notable for three reasons.

First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines.

In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.

Third, nation-state cyberattacks aren’t slowing. We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules. We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.

 

[et2]

Well ... I remember hearing back when the Demonrats were trying to pin Russian collusion on Trump, an article ( can‘t remember from who) saying that they can make (setup) anyone they want by making it look like hacking, information, blackmail, etc, from anyone they choose ... and that it’s the USA that can do it.

Just saying

 

[Macgyver]

If the media says Russia just assume the correct country is china.

 

[Melodi]

I don't know if the actual perps are Russian either, but the message is that more governments and NGOs may be under cyber attacks.

Since in Ireland that is costing the health service 100 million Euros and counting, that could be a big problem.

 

[Kris Gandillon]

You would think that everything of concern would have been physically unplugged from the net by now, but convenience always seems to trump security.

In most cases, you would lose critical functionality if it was unplugged from the Internet. The Internet is key to how things work now for the most part.

ETA: That is almost as non-sensical as suggesting we should simply shut down the grid because it would be safer and more secure to not having anything working.