The group behind the attacks on SolarWinds customers last year are now targeting government agencies, think tanks, consultants, and non-governmental organisations, according to Microsoft.

The tech giant said that this week a wave of attacks targeted around 3,000 email accounts across more than 150 different organisations.

While the US has received the biggest share of attacks, there have also been victims targeted in at least 24 countries.

Microsoft claims that Nobelium, which it says originates from Russia, is the same actor behind the attacks on SolarWinds customers in 2020.

It said that these attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.

Nobelium allegedly launched this week’s attacks by gaining access to the Constant Contact account of USAID, which is a service used for email marketing.

From there, Microsoft said, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.

“Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack,” said Tom Burt, corporate vice president, customer security & trust, Microsoft. “We’re also in the process of notifying all of our customers who have been targeted.

Burt added: “We detected this attack and identified victims through the ongoing work of the MSTIC team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”

The Microsoft executive said that, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers.

“By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” said Burt.

According to Microsoft, Nobelium’s activities follow a pattern of behaviour where the group tracks issues of concern within the country they are operating in.

This time round the group targeted humanitarian and human rights organisations and during the height of the pandemic, Russian actor Strontium targeted healthcare organisations involved in vaccines.

“…nation-state cyberattacks aren’t slowing,” concluded Burt. “We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.”

Share Story: