The group that hacked SolarWinds is out with a new campaign, Microsoft says

Microsoft said in a blog post the hackers behind SolarWinds are already advancing their tradecraft, and are impersonating a U.S. government agency as part of a global phishing campaign.

Email sign with a fish hook on blue digital background. Email security and countermeasure concept By wk1003mike shutterstock ID: 593626601

Microsoft on Thursday said it has observed the same group behind the campaign against SolarWinds using new tactics involving a wide-scale email phishing campaign to target thousands of people, and in some cases masquerading as part of the U.S. Agency for International Development.

The group, which Microsoft calls "NOBELIUM," historically targets government organizations, think tanks, military, IT service providers, health technology and research institutions and telecommunications companies, according to Microsoft's blog post. The company's threat intelligence team has been tracking the group's email campaign since early this year.

"On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals," Microsoft wrote.

Nobelium allegedly targeted around 3,000 accounts of individuals at 150 different organizations. Most, but not all, of those emails were likely blocked and marked as spam. Microsoft also wrote the notable changes in Nobelium's tactics likely reflect the group's desire and ability to evolve its tradecraft since its campaign against SolarWinds was discovered in 2020.

"Microsoft security researchers assess that the NOBELIUM's spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics," according to the company.

The Cybersecurity and Infrastructure Security Agency published a short alert on Friday notifying public and private companies of Microsoft's discovery.

"May this serve as a reminder that espionage is unlikely to be deterred," John Hultquist, an executive at FireEye, tweeted on Friday of the campaign. "A loud operation following on the heels of SolarWinds is not an act of contrition."