The group that hacked SolarWinds is out with a new campaign, Microsoft says

Email sign with a fish hook on blue digital background. Email security and countermeasure concept By wk1003mike shutterstock ID: 593626601 

Microsoft on Thursday said it has observed the same group behind the campaign against SolarWinds using new tactics involving a wide-scale email phishing campaign to target thousands of people, and in some cases masquerading as part of the U.S. Agency for International Development.

The group, which Microsoft calls "NOBELIUM," historically targets government organizations, think tanks, military, IT service providers, health technology and research institutions and telecommunications companies, according to Microsoft's blog post. The company's threat intelligence team has been tracking the group's email campaign since early this year.

"On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals," Microsoft wrote.

Nobelium allegedly targeted around 3,000 accounts of individuals at 150 different organizations. Most, but not all, of those emails were likely blocked and marked as spam. Microsoft also wrote the notable changes in Nobelium's tactics likely reflect the group's desire and ability to evolve its tradecraft since its campaign against SolarWinds was discovered in 2020.

"Microsoft security researchers assess that the NOBELIUM's spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics," according to the company.

The Cybersecurity and Infrastructure Security Agency published a short alert on Friday notifying public and private companies of Microsoft's discovery.

"May this serve as a reminder that espionage is unlikely to be deterred," John Hultquist, an executive at FireEye, tweeted on Friday of the campaign. "A loud operation following on the heels of SolarWinds is not an act of contrition."

About the Author

Justin Katz is a former staff writer at FCW.


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected