Cyberattackers behind SolarWinds hack striking at U.S. again: Microsoft

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said. 

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt. 

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.”

Mr. Burt said that the hackers’ latest effort began when they gained access to the U.S. Agency for International Development’s (USAID) account with Constant Contact, a company that makes email marketing software.

“We are aware that a bad actor accessed one of our customer’s account credentials to send malicious emails,” Constant Contact said on Twitter on Friday. “This appears to be an isolated incident. We have temporarily disabled the impacted accounts, and are collaborating with the customer as they work with law enforcement.”

While the hacking campaign could be Constant Contact’s first brush with the hackers, it is not an isolated incident for the U.S. government. The hack of SolarWinds computer network management software disclosed publicly last year compromised nine federal agencies. 

The Biden administration attributed the SolarWinds hack to the Russian Foreign Intelligence Service (SVR) and imposed sanctions on Russia in response. 

Microsoft said Friday that the new hack was conducted by “Nobelium,” which the company said was the “same actor” behind the SolarWinds hack. 

“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Mr. Burt wrote. 

Mr. Burt said Microsoft automatically blocked “many of the attacks” targeting its customers and is notifying all those affected.

Microsoft also warned that “nation-state cyberattacks aren’t slowing” and said it has become clear that the hackers’ playbook is to infiltrate trusted technology providers to infect their customers.