SolarWinds Hacker Encore: Russia Phishing Attacks Target U.S. Government Agencies

Microsoft’s disclosure late last week that the hacking crew behind the SolarWinds Orion attack is targeting U.S. government agencies in a phishing expedition has legislators urging President Biden to tighten economic sanctions on Moscow.

Just in case you missed Microsoft’s warning: The Russian-backed Nobelium hackers have launched a malware attack not only on federal government agencies but also researchers, consultants and non-government organizations, the vendor’s security team said in a blog post.

The infiltration has hit some 3,000 email accounts in more than 150 different organizations, Microsoft said. U.S. facilities appear to have taken the brunt of the attacks that involved at least 24 countries, wrote Tom Burt, the company’s customer security and trust corporate vice president. Roughly 25 percent of the intended victims are involved in international development, humanitarian and human rights work, an indication the attacks are a "continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt said.

Still, the attacks offer a timely reminder for MSPs and MSSPs to offer cybersecurity awareness training services -- which typically familiarize customers with phishing-type emails.

Phishing Attacks: Microsoft's Analysis

Microsoft said that Nobelium had gained access to an email marketing account used by the U.S. Agency for International Development (USAID), an independent government wing that handles foreign aid and development assistance.

Antivirus services and endpoint detection and response solutions identified and protected the targeted entities against the malware deployed in the attacks. “It is important for all users to employ basic cybersecurity hygiene, including using multi-factor authentication, using antivirus/antimalware software and being careful not to click on links in email, unless you can confirm reliability to minimize the risk of being phished,” Burt said.

Nobelium’s phishing campaign comes hard on the heels of the allegedly Russian-orchestrated Colonial Pipeline cybersecurity event that disrupted the oil and gas supply along the eastern seaboard in early May 2021.

United States vs. Russia: Cyberattack Fallout?

President Biden imposed economic sanctions on Russia following the SolarWinds hack and Moscow’s attempts to influence U.S. elections. With word that the same group is newly engaged in Moscow's continued cyber espionage operations, some Democratic lawmakers are calling for the Biden administration to squeeze harder.

“If Moscow is responsible, this brazen act of utilizing emails associated with the U.S. government demonstrates that Russia remains undeterred despite sanctions following the SolarWinds attack,” House Intelligence Committee Chairman Adam Schiff (D-CA) said in a statement. “Those sanctions gave the administration flexibility to tighten the economic screws further if necessary,” he said. "It now appears necessary.”

Senate Intelligence Committee Chairman Mark Warner (D-VA) said the U.S. needs to reiterate to foreign nations that foreign cyber offensives will be met with a strong response. “We have to step up our cyber defenses, and we must make clear to Russia and any other adversaries that they will face consequences for this and any other malicious cyber activity,” he said in a separate statement.

The White House, however, reportedly waved off the Russian operation as standard fare that had largely been neutralized by Microsoft and other security specialists, proof that strengthened federal cyber defenses are working, the New York Times reported.

More Phishing Attack Analysis

Microsoft pointed to three reasons the attacks are important to note: (per Burt)