Microsoft Warns of a New Russian Cyberattack

Paul Thurrott
May 28, 2021
12

Microsoft last night warned that the same pro-Russia hackers that carried out the SolarWinds attack last year are now targeting human rights groups and other organizations that are critical of Russian president Vladimir Putin.

“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations,” Microsoft corporate vice president Tom Burt explains. “Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

The awkwardly-timed discovery comes just weeks before U.S. president Joseph Biden is scheduled to meet with Mr. Putin in Geneva.

According to Microsoft, Nobelium broke into an email account at a supplier used by the U.S. State Department and sent out 3,000 malicious phishing emails to over 150 organizations with ties to the United States Agency for International Development (USAID), with the goal of setting up backdoors into their networks. Microsoft believes the attacks are ongoing.

“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Mr. Burt continues. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”

“Nation-state cyberattacks aren’t slowing,” he concludes. “We need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.”

Tagged with

Security

Please check our Community Guidelines before commenting

Conversation 12 comments

anoldamigauser
Premium Member
28 May, 2021 - 9:52 am

This is why we can’t have nice things.

Log in to Reply
Greg Green

28 May, 2021 - 10:07 am

Well I’m not sure what happened with my empty comment. Maybe Nobelium. re phishing attacks, I remember a story of an IT guy giving a phishing warning class to about 40 employees. The day after class he sent a phake phishing attack all employees and most clicked on it. Sometime users are hopelessly untrainable. And Nobelium knows it.

Log in to Reply

mattbg
Premium Member
28 May, 2021 - 2:57 pm

A lot of larger companies have regular drills now, where they routinely send out fake phishing e-mails which go to links chiding you for clicking on them. The e-mails get more realistic over time. The metrics all get fed into a central system that lets managers know how their teams are doing and whether they are improving or not. It’s a pretty smart way of training.

Log in to Reply

mestiphal

29 May, 2021 - 6:16 pm

Yup, we get one every 3 months. if we report it as phishing we pass, if we click on it, it immediately tells us about it, and have to go through a training. I think that if we fail three consecutive times there are actually much bigger consequences. 

Log in to Reply

wright_is
Premium Member
31 May, 2021 - 9:07 am

(Quickly looks for wood to touch) Our users are generally very good. Most forward us strange looking genuine emails to confirm they aren’t fake. We get half a dozen questionable emails a days sent to us, asking if they are genuine or fake. I’d much rather have that than having to deal with users who click on phishing links or install a trojan through a fake mail.

Log in to Reply

lvthunder
Premium Member
28 May, 2021 - 11:15 am

Sounds like we need to designate them as a terrorist organization and treat them accordingly.

Log in to Reply
navarac

28 May, 2021 - 11:18 am

I trust the West is doing the same to the Russians? Or are we too law-abiding?

Log in to Reply

lvthunder
Premium Member
28 May, 2021 - 11:53 am

I wouldn’t call it law-abiding. I would say we have better morals than that. Steve Gibson on Security Now this week was talking about how a Russian-based group encrypted Irlands Medical System and wanted $1000 under $20 million to get their data back and it not sold or published. If we are doing this type of stuff we are just spying. We wouldn’t shut down their healthcare system or shut down essential utilities.

Log in to Reply

winner

31 May, 2021 - 1:28 am

The common element is Microsoft Outlook.

Log in to Reply

wright_is
Premium Member
31 May, 2021 - 9:12 am

Not really. Exchange server =/= Outlook and Exim most definitely doesn’t require Outlook as a mail client and doesn’t run on Windows Server either. The same for SolarWinds, it isn’t even a Microsoft product. Nobody is "sitting pretty" in this mess, either on the proprietary software side or open source. No software product is perfect or 100% secure. The only way to secure a computer is to disconnect all the cables and bury it in concrete.

Log in to Reply

winner

01 June, 2021 - 6:26 pm

Thanks, I stand corrected. When I said "Outlook" I meant the mail system and of course that is not just Outlook.

Log in to Reply

dftf

31 May, 2021 - 9:26 pm

It’s a good thing Windows 10 ships with the ransomware protection feature enabled by-default ("Controlled folder access")… oh no, wait, it doesn’t. I can see a repeat of Windows XP happening where before Service Pack 2 the built-in "Internet Connection Firewall" wasn’t turned-on by default, and some major worms went-around globally…

Log in to Reply

About author

Paul Thurrott

Paul Thurrott is an award-winning technology journalist and blogger with over 25 years of industry experience and the author of 30 books. He is the owner of Thurrott.com and the host of three tech podcasts: Windows Weekly with Leo Laporte and Richard Campbell, Hands-On Windows, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows from 1999 to 2014 and the Major Domo of Thurrott.com while at BWW Media Group from 2015 to 2023. You can reach Paul via email, Twitter or Mastodon.

View Articles

Currently on Forums
Visit the forums
- Distributed computing using Windows machines.
  Posted by Jogy
  
  3
  comments
- Some optimistic news on the technology and science front: Voyager 1 is talking again!
  Posted by Tilt (epsjrno)
  
  6
  comments
- Comments posted before 2023 have broken formatting
  Posted by dmitryko
  
  2
  comments
- Google have ruined my apple-tv
  Posted by ivarh
  
  3
  comments
Podcasts
Podcast Hub
- First Ring Daily 1589: iPady
  
  Aired on April 24, 2024 by Brad Sams with 1 Comment
- First Ring Daily 1588: Surprised Hits
  
  Aired on April 23, 2024 by Brad Sams with 0 Comments
- First Ring Daily 1587: Unusual Status
  
  Aired on April 22, 2024 by Brad Sams with 0 Comments
- Microsoft’s NEW Loop Feature to Challenge Notion
  
  Aired on April 19, 2024 by Russell Smith with 0 Comments
Join the crowd where the love of tech is real - become a Thurrott Premium Member today!

Explore Premium Benefits

Microsoft Warns of a New Russian Cyberattack

Windows Intelligence In Your Inbox

Tagged with

Share post

Conversation 12 comments

Distributed computing using Windows machines.

Some optimistic news on the technology and science front: Voyager 1 is talking again!

Comments posted before 2023 have broken formatting

Google have ruined my apple-tv

First Ring Daily 1589: iPady

First Ring Daily 1588: Surprised Hits

First Ring Daily 1587: Unusual Status

Microsoft’s NEW Loop Feature to Challenge Notion

Windows Intelligence In Your Inbox

Sections

About Thurrott

Contact

Our Other Sites

Subscribe