While most organizations are located in the US, victim organizations span 24 countries, with many targets directly involved in humanitarian aid, human rights work, and international development.

Microsoft Confirms SolarWinds Hackers New Campaign

In a post to its Microsoft On the Issues blog, Corporate Vice President for Customer Security & Trust, Tom Burt, confirmed and detailed Nobelium’s latest attack.

The latest attack began with Nobelium gaining access to a USAID email marketing account. From there, the attackers could distribute targeted phishing emails containing a malicious link. Once clicked, the victim downloads and installs NativeZone, a backdoor that allows extensive access and control over a remote computer.

According to the Microsoft Threat Intelligence Center technical blog on the attack, many of the malicious emails sent may have been blocked, being marked as spam due to the massive volume they were sent in.

However, these systems aren’t foolproof, and some emails passed through automatic detection systems “either due to configuration and policy settings or prior to detections being in place.” Still, Microsoft notes that its security systems are blocking the malware used in the attack.

The Threat Intelligence Center blog also contains information on the technical side of the Nobelium attack and malware in use.

SolarWinds Attackers Nobelium Resurface

The resurgence of Nobelium is a worrying sign, not least because the attackers have a successful track record for breaching high-level networks and gaining access to critical data.

As Microsoft and other major tech companies have stated consistently, more action against nation-state hacking groups (sometimes referred to as APTs) must come from governments. These enormous attacks aren’t slowing down. If anything, the success rate is emboldening attackers to seek more targets, especially branching out into targets that may have slack security protocols in place.

Finally, the range of targets is worrying, too. Targeting humanitarian efforts, NGOs, and human rights activists illustrate that this form of attack has become one of the primary weapons of choice for certain nation-states, used to undermine or destroy ongoing work in critical areas.