SolarWinds Hackers Strike Again, Targeting 150-Plus Organizations Mostly in the U.S.

It's clear the United States is a prime target for bad actors.

Edward Gately, Senior News Editor

May 28, 2021

4 Min Read
Shaded hacker

The notorious SolarWinds hackers are back, this time targeting about 3,000 email accounts at more than 150 different organizations.

That’s according to Microsoft. Organizations in the United States are victims of the largest share of attacks, but the malfeasance spans at least 24 countries.

At least a quarter of the organizations targeted by the SolarWinds hackers were involved in international development, humanitarian and human rights work. Nobelium, originating from Russia, is the same group behind the attacks on SolarWinds customers in 2020.

Microsoft says these attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.

Deceptive Emails

Nobelium launched the new attacks by gaining access to the Constant Contact account of the United States Agency for International Development (USAID). Constant Contact is a service used for email marketing.

From there, the actor distributed phishing emails that looked authentic but included a link. When clicked, the link inserted a malicious file used to distribute a backdoor called NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.

Tom Burt is Microsoft’s corporate vice president of customer security and trust.


Microsoft’s Tom Burt

“Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack,” he said. “We’re also in the process of notifying all of our customers who have been targeted. We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC) team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”

SolarWinds Hackers’ Playbook

Part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers, Burt said. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, he said. The focus of these attacks by Nobelium are on human rights and humanitarian organizations.

Lotem Finkelsteen is head of threat intelligence at Check Point Software Technologies.


Check Point’s Lotem Finkelshtein

“These attacks are not opportunistic or near-term, but rather strategic and long-term,” he said. “While one attack is practiced in the wild, another one is cooking, and will be ready to serve as a replacement, if anything gets exposed. If you are a valuable target, the attackers won’t let you go. The only way to protect yourself from such strategic attacks is to enact a strategic defense. The next attack can come in any form.”

Here to Stay

Kelvin Coleman is executive director of the National Cyber Security Alliance (NCSA). He said it’s clear that cyber threats are here to stay. That’s whether you are a business, government agency or a third-party vendor.


NCSA’s Kevin Coleman

“It is clear that the U.S. is a prime target for bad actors, and as recent successful attacks have underlined, more needs to be done in order to fortify our cyberattack prevention, detection and response efforts,” he said.

The hackers’ emails looked to be …

… genuine, Coleman said. They could give hackers unfettered access to both recipient computers as well as computers on their entire network.

“Meaning, they would have access to a huge amount of data, personal information and more,” he said.

Stronger Training Needed

This attack in particular illustrates the need for organizations to adopt stronger training systems. That’s so everyday employees are keenly attuned to potential threats and how to respond appropriately, Coleman said.

“Of course, having cutting-edge technology is helpful,” he said. “However, the risks of attacks such as this – which is an example of the long-lived phishing attack – can be prevented and mitigated significantly by expanding the knowledge around how to identify potential cyberthreats, how to avoid them, and how to report them when you spot them. Unfortunately, this first line of defense is clearly very porous at many organizations today. And although this is a major concern, once it is tightened we will begin to see a decline in the impacts these attacks are having.”

Charlie Gero is CTO of Akamai‘s security technologies group. He said Nobelium is doing something “pretty interesting.”

“They are storing their malware on domains that people don’t block, like Google Firebase and Dropbox,” he said. “They are effectively laundering their malware through trusted SaaS providers. This means protection at the DNS layer, while critically important, is obviously not enough. You need content inspection too, and that’s where secure web gateways (SWGs) come into play. It expands the protections from focusing on keeping end users away from dangerous areas on the internet to accepting that everywhere can be dangerous, and thus scanning for viruses, performing sandboxing, etc. is a must.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like