Microsoft Warns of a New Russian Cyberattack

Posted on May 28, 2021 by Paul Thurrott in Cloud, Microsoft with 12 Comments

Microsoft last night warned that the same pro-Russia hackers that carried out the SolarWinds attack last year are now targeting human rights groups and other organizations that are critical of Russian president Vladimir Putin.

“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations,” Microsoft corporate vice president Tom Burt explains. “Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

The awkwardly-timed discovery comes just weeks before U.S. president Joseph Biden is scheduled to meet with Mr. Putin in Geneva.

According to Microsoft, Nobelium broke into an email account at a supplier used by the U.S. State Department and sent out 3,000 malicious phishing emails to over 150 organizations with ties to the United States Agency for International Development (USAID), with the goal of setting up backdoors into their networks. Microsoft believes the attacks are ongoing.

“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Mr. Burt continues. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”

“Nation-state cyberattacks aren’t slowing,” he concludes. “We need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.”

Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (12)

12 responses to “Microsoft Warns of a New Russian Cyberattack”

  1. anoldamigauser

    This is why we can't have nice things.

  2. Greg Green

    Well I’m not sure what happened with my empty comment. Maybe Nobelium.

    re phishing attacks, I remember a story of an IT guy giving a phishing warning class to about 40 employees. The day after class he sent a phake phishing attack all employees and most clicked on it. Sometime users are hopelessly untrainable. And Nobelium knows it.

    • mattbg

      A lot of larger companies have regular drills now, where they routinely send out fake phishing e-mails which go to links chiding you for clicking on them. The e-mails get more realistic over time. The metrics all get fed into a central system that lets managers know how their teams are doing and whether they are improving or not. It's a pretty smart way of training.

      • mestiphal

        Yup, we get one every 3 months. if we report it as phishing we pass, if we click on it, it immediately tells us about it, and have to go through a training. I think that if we fail three consecutive times there are actually much bigger consequences.

    • wright_is

      (Quickly looks for wood to touch)

      Our users are generally very good. Most forward us strange looking genuine emails to confirm they aren't fake. We get half a dozen questionable emails a days sent to us, asking if they are genuine or fake. I'd much rather have that than having to deal with users who click on phishing links or install a trojan through a fake mail.

  3. lvthunder

    Sounds like we need to designate them as a terrorist organization and treat them accordingly.

  4. navarac

    I trust the West is doing the same to the Russians? Or are we too law-abiding?

    • lvthunder

      I wouldn't call it law-abiding. I would say we have better morals than that. Steve Gibson on Security Now this week was talking about how a Russian-based group encrypted Irlands Medical System and wanted $1000 under $20 million to get their data back and it not sold or published. If we are doing this type of stuff we are just spying. We wouldn't shut down their healthcare system or shut down essential utilities.

  5. winner

    The common element is Microsoft Outlook.

    • wright_is

      Not really. Exchange server =/= Outlook and Exim most definitely doesn't require Outlook as a mail client and doesn't run on Windows Server either. The same for SolarWinds, it isn't even a Microsoft product.

      Nobody is "sitting pretty" in this mess, either on the proprietary software side or open source. No software product is perfect or 100% secure. The only way to secure a computer is to disconnect all the cables and bury it in concrete.

      • winner

        Thanks, I stand corrected. When I said "Outlook" I meant the mail system and of course that is not just Outlook.

  6. dftf

    It's a good thing Windows 10 ships with the ransomware protection feature enabled by-default ("Controlled folder access")... oh no, wait, it doesn't.

    I can see a repeat of Windows XP happening where before Service Pack 2 the built-in "Internet Connection Firewall" wasn't turned-on by default, and some major worms went-around globally...