https://safirsoft.com The SolarWinds hackers aren’t back—they never went away

A new phishing campaign is less an escalation than a regression to the mean.

The Russian hackers who breached SolarWinds IT management software to compromise a slew of United States government agencies and businesses are back in the limelight. Microsoft said on Thursday that the same “Nobelium” spy group has built out an aggressive phishing campaign since January of this year and ramped it up significantly this week, targeting roughly 3,000 individuals at more than 150 organizations in 24 countries.

The revelation caused a stir, highlighting as it did Russia's ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation, I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred and I don’t think they’re likely to be deterred.”https://safirsoft.com The SolarWinds hackers aren’t back—they never went away

Russia's latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia's SVR foreign intelligence agency, could send out specially crafted spear-phishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft corporate vice president for customer security and trust Tom Burt wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week's targeting.

Advertisement

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium's general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It's a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently," says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there's also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it's an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years."

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It's also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it's likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn't stop and start based on public shaming. Nobelium's activity is certainly unwelcome, but it doesn't in itself portend some great escalation.

Additional reporting by Andy Greenberg. This story originally appeared on wired.com.

The SolarWinds hackers aren’t back—they never went away
the-solarwinds-hackers-aren-t-back-they-never-went.html

https://safirsoft.com Here are a bunch of iOS 15 features that Apple didn’t mention earlier

Here are a bunch of iOS 15 features that Apple didn’t mention earlier

As usual, some of the most intriguing changes weren't necessarily the biggest.

As Apple's annual WWDC conference wraps up, we have a whole week ...

https://safirsoft.com CD Projekt Red says its data is likely circulating online after ransom attack

CD Projekt Red says its data is likely circulating online after ransom attack

Data taken in breach disclosed in February likely related to employees and contractors.

CD Projekt Red, the maker of The Witcher series, Cyberpu...

https://safirsoft.com MySQL 101: Installation, care, and feeding on Ubuntu

MySQL 101: Installation, care, and feeding on Ubuntu

If you've got 15 minutes, we can show you the ropes of basic MySQL management.

One of the tasks nearly any sysadmin frequently encounters is the...

https://safirsoft.com Google Chrome ends its war on address bar URLs—for now, at least

Google Chrome ends its war on address bar URLs—for now, at least

As it turns out, hiding URL information does not help security.

Chrome is ending its war on address bar URLs—at least for now. About a year a...

https://safirsoft.com Android 12’s beautiful color-changing UI already lives up to the hype

Android 12’s beautiful color-changing UI already lives up to the hype

Android 12's "Material You" UI debuts in Beta 2, and we go hands-on.

Android 12 Beta 2 came out this week, and with it, a lot of features we've ...

https://safirsoft.com iOS, web versions of Dark Sky weather app will shut down in 2022

iOS, web versions of Dark Sky weather app will shut down in 2022

Apple already shut down the Android version after acquiring the app last year.

A new blog post from the developers of Apple-owned, hyperlocal we...