Microsoft cybersecurity researchers have found evidence of a malicious large-scale spear-phishing email campaign that they believe is operated by the same threat actors who were behind the SolarWinds supply chain attack.
Researchers at Microsoft’s Threat Intelligence Center (MSTIC) believe that the threat actor known as Nobelium, is once again targeting government agencies, think tanks, consultants, and non-governmental organizations via the new campaign.
Notably, the researchers add that prima facie evidence suggests that the latest Nobelium campaign “differs significantly” from the one that involved the compromise of the SolarWinds Orion platform.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” writes MSTIC in a post detailing the new campaign.
Spear-phishing campaign
The researchers add that as this is an ongoing campaign, it’s possible that MSTIC’s observations might change over time.
According to the post, the new campaign leverages the legitimate Constant Contact service to send malicious links that were obscured behind the mailing service’s URL.
MSTIC’s tracking has revealed that Nobelium launched the attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) before launching the phishing attacks on other organizations.
The latest campaign targets approximately 3000 individual accounts across more than 150 organizations, that MSTIC researchers note employ “an established pattern of using unique infrastructure and tooling for each target,” which also enables them to fly under the radar for a long time.
