The group that hacked SolarWinds is out with a new campaign, Microsoft says

Email sign with a fish hook on blue digital background. Email security and countermeasure concept By wk1003mike shutterstock ID: 593626601 

Microsoft on Thursday said it has observed the same group behind the campaign against SolarWinds using new tactics involving a wide-scale email phishing campaign to target thousands of people, and in some cases masquerading as part of the U.S. Agency for International Development.

The group, which Microsoft calls "NOBELIUM," historically targets government organizations, think tanks, military, IT service providers, health technology and research institutions and telecommunications companies, according to Microsoft's blog post. The company's threat intelligence team has been tracking the group's email campaign since early this year.

"On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals," Microsoft wrote.

Nobelium allegedly targeted around 3,000 accounts of individuals at 150 different organizations. Most, but not all, of those emails were likely blocked and marked as spam. Microsoft also wrote the notable changes in Nobelium's tactics likely reflect the group's desire and ability to evolve its tradecraft since its campaign against SolarWinds was discovered in 2020.

"Microsoft security researchers assess that the NOBELIUM's spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics," according to the company.

The Cybersecurity and Infrastructure Security Agency published a short alert on Friday notifying public and private companies of Microsoft's discovery.

"May this serve as a reminder that espionage is unlikely to be deterred," John Hultquist, an executive at FireEye, tweeted on Friday of the campaign. "A loud operation following on the heels of SolarWinds is not an act of contrition."

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


  • Comment
    customer experience (garagestock/

    Leveraging the TMF to improve customer experience

    Focusing on customer experience as part of the Technology Modernization Fund investment strategy will enable agencies to improve service and build trust in government.

  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

Stay Connected