Microsoft Says SolarWinds Hackers Have Struck Again at the US and Other Countries

The hackers behind one of the worst data breaches ever to hit the US government have launched a new global cyberattack on more than 150 government agencies, think tanks and other organizations, according to Microsoft. ytene shares a report: The group, which Microsoft calls "Nobelium," targeted 3,000 email accounts at various organizations this week -- most of which were in the United States, the company said in a blog post Thursday. It believes the hackers are part of the same Russian group behind last year's devastating attack on SolarWinds -- a software vendor -- that targeted at least nine US federal agencies and 100 companies.

Cybersecurity has been a major focus for the US government following the revelations that hackers had put malicious code into a tool published by SolarWinds. A ransomware attack that shut down one of America's most important pieces of energy infrastructure -- the Colonial Pipeline -- earlier this month has only heightened the sense of alarm. That attack was carried out by a criminal group originating in Russia, according to the FBI. Microsoft said that at least a quarter of the targets of this week's attacks were involved in international development, humanitarian, and human rights work, across at least 24 countries. It said Nobelium launched the attack by gaining access to a Constant Contact email marketing account used by the US Agency for International Development.

Oh no!

[war4peace]

As long as those responsible with cyber security, from those companies, agencies, etc, will save face with a shrug, an apology and "the Russians did it", nothing will change.

Re:Oh no!

[ShanghaiBill]

Our political and corporate leaders are rewarded for solving problems.

They are not rewarded for preventing problems.

Re:

[SAJChurchey]

Neither are they punished for any lack of foresight. Either because "The Orange Man is bad" or "The Socialists are ruinin' 'Merica."

Re:

[chuckugly]

I don't normally care for political comments but you gave equal time to mocking both sides, so I say mod parent up.

Re:

[chispito]

Wish I had mod points, Bill. This reminds me of a previous workplace where a coworker got employee of the month for putting in long weekend hours to fix problems. Our jobs had some overlap. I remember being a little disappointed because it was pretty clear he had to put in the long hours because he failed to do things right the first time.

Re:

[MachineShedFred]

If I had a nickel for every time I saw this, I wouldn't have to be employed any more. I once saw accolades heaped onto a specific numbnuts for getting their team's web app deploys down to "under an hour!" from the previous 4+ hour marathon zoom calls they used to have.

Meanwhile, my team was doing deploys in about 3 minutes through automation and prestaging of code artifacts prior to execution of the deploy. And we had been for over a year at that time. Now it wouldn't even be a timed thing due to kuberne

Re:

[ChatHuant]

Our political and corporate leaders are rewarded for solving problems.

I know that's the theory, but I really don't see it happen in practice. For example, GW Bush, whose problem solving skills was ... let's say marginal, was nevertheless re-elected. Countless CEOs fail to solve their company's problems but get huge raises and bonuses anyway. So I think this axiom needs to be urgently forwarded to the Axiom Review Board for emergency reexamination.

Re:

[Mitreya]

those companies, agencies, etc, will save face with a shrug, an apology...

Cyber security is an interesting one.
Basically, all you can find is general "negligence" or "insufficient security practices". Hard to identify who specifically caused the breach (particularly if it wasn't some blatantly obvious lack of patching).
So what is the alternative? Fire everyone above certain level in management when a cyber breach occurs?

Re: Oh no!

[kopecn]

These suggestions for security comes up in exec meetings all the time. Its taboo for execs to push further since email record will provide more evidence in disclosure. They do not choose these security fixes since they will cost money and rather rely on insurance to cover in case of breach. Breach damages are prenegotiated into every services contract per the insurance level the company signs up for. At the heart of all this is shitty Microsoft operating systems from the 2000s that never get fixed or upgr

Re:

[gtall]

More to the point, execs can put a price on insurance. They cannot put a price on security. They can spend money on security but they cannot show what they get with that money. So the company now has corralled the security issue into a line item on their balance sheets called insurance-for-security. The accountants are happy, the execs are happy...until shit hits the fan. Then the accountants are still happy but the execs now have to find scapegoats.

Re:

[thereddaikon]

I've been thinking a lot about how to solve this. Certainly punishing people in positions of power for being negligent with security is a good change. But while that will make people harder targets it wont get rid of the problem.

In places like Russia, India and China you have state groups of course but many of these gangs are normal criminals. Their governments turn a blind eye to their activities as long as they target foreigners, especially citizens and companies of nations they don't like. There is effec

Re:

[MachineShedFred]

... so a 21st Century privateer license? Does it come with an eyepatch and a puffy silky shirt?

Personally, I'd be fine with the source of the hack receiving a cruise missile or a CIA rendition squad, but understand the political issues involved. It would be interesting to know if Russia would get pissed off that criminals it disavows magically ended up in a jurisdiction with extradition treaties with the US...

It would only have to happen a few times, and I think the message would be received loud and clea

Re:

[thereddaikon]

Obviously fashion changes with the time. Being a modern privateer in cyberspace means you are trading the eye patch for ray bans, the tricorn hat for a powerglove and the breeches and stockings for ripped jeans.

But in all seriousness, the US gov rarely directly acts in these situations because of the political fallout potential. In these situations when an official response isn't possible, you see deniable assets come to the fore. Proxy wars are a good modern example. I think eventually you will see deniabl

Ahem. . . .

[Salgak1]

As long as those responsible with cyber security, from those companies, agencies, etc, will save face with a shrug, an apology and "the Russians did it", nothing will change.

. . . . I do cyber for a living. We've been tracking this since 6:20 this morning, have already scanned our logs for indicators, and put blocks in place and YARA rules for the specific software involved by 9:45 this morning.

I briefed the CISO at 8:30 this morning on it. And I'm coming in for the next few days, even if it's a weekend and a holiday, to make **sure** we're clean. . . .

Re:

[war4peace]

I was talking about top brass people.

HTML/JS in emails : what could go wrong!

[grumpy-cowboy]

Issue details from Microsoft site (ref: https://www.microsoft.com/secu... [microsoft.com] )

Extract:
In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system.

Re:

[MachineShedFred]

Sounds like a whole lot of shit I only have to worry about if I'm running Windows.

So I guess my entire division of my company is good, since we're only Mac and Linux.

Correction

[SlashbotAgent]

The group, which Microsoft calls "Nobelium," targeted 3,000 email accounts at various organizations this week

The 3,000 email accounts are all at a single organization, Microsoft 365.

Re:

[I've Got Three Cats]

A convenient omission by Microsoft. Of course it does explain how they detected an attack against "... 3,000 email accounts at various organizations... " and know so much about what it does.

Only constant attacks will coerce improve security

[couchslug]

Consider those attacks an evolutionary input.

Convenience trumps security because security was not considered important, as pandemic civil defense was not considered important.

Not really.

[gillbates]

If constant attacks could coerce security, we'd all be running Linux by now. These sorts of things have targeted Windows systems for more than three decades. And they continue because ransomware is one of the lowest-risk businesses on the planet.

The underlying issue is that from a corporate point of view, the convenience of Windows accrues to the benefit of the user, while the damage of ransomware accrues to the detriment of the shareholders. Until shareholders become united in a push for better secur

*sigh* the bullshit never ends

[fustakrakich]

It's always Russia, even when it's not [unlimitedhangout.com]. Ah well, ya do what it takes to cover up domestic problems and keep reelection rates up at 98%

Microsoft knows shit about security!

[takionya]

Just who in their right minds dynamically connects 150 government agencies to the one remote monitoring tool. The root of the problem is all those donations that Microsoft made in Washington. And the two way traffic between Microsoft executives and government departments. That persuaded Homeland Security to run all their infrastructure on Windows.