The Russian hackers who hacked into SolarWinds’ IT management software to compromise a slew of US government agencies and companies are back in the spotlight. Microsoft said on Thursday that the same “Nobelium” spy group has been developing an aggressive phishing campaign since January this year and has stepped it up significantly this week, targeting about 3,000 individuals at more than 150 organizations in 24 countries.
The revelation caused a stir and highlighted Russia’s ongoing and inveterate digital spy campaigns. But it should come as no shock that Russia in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And compared to SolarWinds, a phishing campaign seems downright ordinary.
“I don’t think it’s an escalation, I think it’s the normal course of events,” said John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intruders. “I don’t think they will be deterred and I don’t think they will be deterred.”
Russia’s latest campaign is well worth it. Nobelium has compromised legitimate accounts of the Constant Contact bulk email service, including those of the United States Agency for International Development. From there, the hackers, allegedly members of Russia’s SVR foreign intelligence agency, were able to send specially crafted spear-phishing emails that actually came from the email accounts of the organization they were impersonating. The emails contained legitimate links that were then redirected to the malicious Nobelium infrastructure and installed malware to take control of target devices.
While the number of targets may seem large and USAID works with many people in sensitive positions, the actual impact may not be as severe as it may seem at first glance. While Microsoft acknowledges that some messages may have arrived, the company says that automated spam systems have blocked many of the phishing messages. Microsoft Corporate Vice President for Customer Security and Trust Tom Burt wrote in a blog post Thursday that the company views the activity as “advanced” and that Nobelium developed and refined its strategy for the campaign over the months leading up to this week’s targeting.
“It is likely that these observations represent changes in the actor’s craft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a linchpin after their SolarWinds coverage blows up.
But the tactics in this latest phishing campaign also reflect Nobelium’s common practice of accessing one system or account and then using it to gain access to others and hastily achieve goals. It’s a spy agency; this is what it does as a matter of course.
“If this had happened before SolarWinds, we wouldn’t have thought about it. It’s just the context of SolarWinds that makes us see it differently,” said Jason Healey, a former Bush White House aide and current cyber conflict researcher at Columbia University. “Let’s say this incident is in 2019 or 2020 I don’t think anyone will blink here.”
Also, as Microsoft points out, there is nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, especially USAID, NGOs, think tanks, research groups, or military and IT contractors.
“NGOs and DC think tanks have been high-value soft targets for decades,” says a former cybersecurity adviser to the Department of Homeland Security. “And it’s an open secret in the world of incident response that USAID and the State Department are a jumble of inexplicable, outsourced IT networks and infrastructure. In the past, some of those systems had been compromised for years.†
Especially compared to the scale and sophistication of the SolarWinds breach, a widespread phishing campaign almost feels like a switchback. It is also important to remember that the impact of SolarWinds continues; even after months of publicity about the incident, it’s likely that Nobelium is still lurking in at least some of the systems it compromised during that effort.
“I’m sure they still have access to the SolarWinds campaign in some places,” said FireEye’s Hultquist. “The main driver of the activity has diminished, but they are likely to linger in several places.”
That’s just the reality of digital espionage. It doesn’t stop and it doesn’t start on the basis of public embarrassment. Nobelium’s activity is certainly undesirable, but in itself it does not represent a major escalation.
Additional reporting by Andy Greenberg. This story originally appeared on wired.com.