Enlarge / “And people click those emails reliably? Really?”
Official photo of the Kremlin
The Russian hackers who hacked into SolarWinds’ IT management software to compromise a number of US government agencies and corporations are back in the spotlight. Microsoft announced Thursday that the same “Nobelium” spy group has been building an aggressive phishing campaign since January this year, and has expanded significantly this week, targeting around 3,000 people in more than 150 organizations in 24 countries.
The reveal caused a stir, highlighting Russia’s ongoing and inveterate digital espionage campaigns. It shouldn’t come as a shock, however, that Russia in general, and the SolarWinds hackers in particular, continued to spy after the US imposed retaliatory sanctions in April. And compared to SolarWinds, a phishing campaign seems downright ordinary.
“I don’t think it’s escalating, I think it’s going as usual,” said John Hultquist, vice president of intelligence analysis at FireEye security firm, who first discovered the SolarWinds intrusion. “I don’t think you’re going to be put off and I don’t think you’re likely to be put off.”
Russia’s latest campaign is certainly worth calling. Nobelium compromised legitimate accounts of the bulk email service Constant Contact, including that of the United States Agency for International Development. From there, the hackers, allegedly members of the Russian foreign intelligence service SVR, were able to send specially crafted spear phishing emails that actually came from the email accounts of the organization they are faking. The emails contained legitimate links which were then redirected to the malicious Nobelium infrastructure and malware installed to take control of the target devices.
While the number of targets seems large and USAID works with many people in sensitive positions, the actual impact may not be quite as severe as it initially sounds. While Microsoft admits that some messages may have got through, the company says automated spam systems blocked many of the phishing messages. Tom Burt, corporate vice president of customer safety and trust at Microsoft, wrote in a blog post Thursday that the company sees the activity as “mature” and that Nobelium is refining and refining its campaign strategy for months ahead of targeting this week have.
“It is likely that these observations represent changes in the actor’s craft and possible experimentation following widespread revelations of previous incidents,” Burt wrote. In other words, this could be a fulcrum after the SolarWinds cover is inflated.
But the tactics of this latest phishing campaign also mirror Nobelium’s general practice of setting up access to a system or account and then using it to gain access to others and jump to numerous targets. It’s a spy agency; it does that as a matter of course.
“If that had happened before SolarWinds, we wouldn’t have thought anything of it. Only the context of SolarWinds makes us see it differently, ”says Jason Healey, a former Bush White House employee and current cyberconflict researcher at Columbia University, I’ll blink an eye at it. “
As Microsoft points out, there is also nothing unexpected about Russian spies, and especially Nobelium, targeting government agencies, especially USAID, NGOs, think tanks, research groups, or military and IT service providers.
“NGOs and DC think tanks have been high quality soft targets for decades,” says a former advisor to the Department of Homeland Security for cybersecurity. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of these systems were compromised for years. “
Especially when compared to the size and complexity of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the effects of SolarWinds are ongoing; Even after months of publicity about the incident, it is likely that Nobelium is still tracking at least some of the systems it compromised during that effort.
“I’m sure they still have traffic from the SolarWinds campaign in some places,” says FireEye’s Hultquist. “The main burst of activity has been reduced, but it is very likely that it will continue in multiple locations.”
Which is just the reality of digital espionage. It doesn’t stop and start based on public shame. Nobelium’s activities are certainly undesirable, but in and of themselves they are not a major escalation.
Additional coverage from Andy Greenberg. This story originally appeared on wired.com.