Kremlin-backed cyber spies behind the SolarWinds hack launched an audacious spear phishing campaign against U.S. government agencies this week, Microsoft has revealed.
According to Microsoft, Russian-born Nobelium is the same actor behind the 2020 SolarWinds customer attack.
The attack, which Microsoft revealed Thursday, appeared to be a continuation of multiple efforts targeting government agencies involved in foreign policy as part of its intelligence gathering efforts, Microsoft said.
The US Department of Homeland Security and the US State Department did not immediately respond to requests for comment from CNN Business.
The most attacked were USA organizations, but Microsoft says the targeted victims come from at least 24 countries.
While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks as well as at least nine U.S. government agencies, was supremely stealthy and went on for most of 2020 before being detected in December by the cybersecurity firm FireEye, this campaign is what cybersecurity researchers say was easy to detect.
"To answer your question we first need to answer the following: which groups?"
It contained a link which, when clicked, would implant a code on the target's computer giving the hackers unfettered access to their files, from 'stealing data to infecting other computers on a network, ' Microsoft Vice President Tom Burt said.
Cybersecurity firm Volexity, which corroborated the findings, said the campaign singled out non-governmental organizations (NGOs), research institutions, government entities, and global agencies situated in the USA and Europe.
According to Microsoft, Nobelium, a group originating in Russian Federation, launched this week's attacks by gaining access to an email marketing account used by the United States federal government's aid agency, USAID.
Microsoft said numerous attacks targeting its customers were blocked automatically.
On Wednesday, emails were sent that were meant to look like they were from USAID, including some that read "special alert" and "Donald Trump has published new documents on election fraud", Microsoft said.
United States intelligence and law enforcement agencies at the time of the SolarWinds hack said the group responsible "likely originated in Russian Federation", adding that the attack was believed to be an act of espionage, CNN reported.
"When coupled with the attack on SolarWinds, it's clear that part of Nobelium's playbook is to gain access to trusted technology providers and infect their customers", Burt said.
"While Volexity can not say with certainty who is behind these attacks, it does believe it has the earmarks of a known threat actor it has dealt with on several previous occasions", the cybersecurity firm wrote, noting a number of attack attributes used in this campaign that were consistent with previous tactics used by APT29.
"By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem", the company said.
It will further raise the question - with a summit between US President Joe Biden and his Russian counterpart Vladimir Putin in a few weeks - about whether anything can be done to contain this threat.