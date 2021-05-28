WASHINGTON DC (Age-ncies): Russian hackers se-ized the email system used by the State Department’s international agency and other human rights groups, Microsoft announced.

Tom Burt, Microsoft’s corporate vice president of Customer Security & Trust, disclosed in a blog post on Thursday that the Russian group Nobelium targeted about 3,000 email accounts from 150 different organizations in at least 24 countries. The United States received the largest share of the attacks.

Burt said at least a quarter of the organizations targeted were international development, humanitarian and human rights work.

The attacks were launc-hed by gaining access to the email marketing account of the US Agency f-or Inter-national Develop-ment (U-SAID), which falls under t-he State Department. From there, the hackers distributed phishing emails that looked real but included a link with a malicious file.

Burt wrote that the attacks “appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

These attacks are notable for three reasons.

First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines.

In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and huma-nitarian organizations.

Third, nation-state cyberattacks aren’t slowing. We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules. We must continue to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord, and the CyberPeace Institute. But, we need to do more. Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.

In a separate post, Microsoft said the hackers sent emails to recipients that were made to appear like an alert which stated “Donald Trump has published new documents on election fraud.”

If clicked, the URL directed them to the legitimate Constant Contact Ser-vice, and then to Nobelium-controlled infrastructure. A malicious file was then delivered to the system.

The Cybersecurity Infrastructure Security Agency said it was “working with the F.B.I. to better understand the extent of the compromise and assist potential victims,” The New York Times reported.

Nobelium, based in Russia, was the same actor behind the hack of SolarWinds in 2020 during which hackers gained access to 18,000 customers and compromised nine federal agencies.

The Biden administration has formally acknowledged Russia as behind the hack and sanctioned Russia in mid-April over its involvement.

The hack came a couple of weeks after cybercriminals launched a ransomware attack on the Colonial Pipeline, forcing it to shut down operations and disrupt gas supplies.

President Biden signed an executive order earlier this month to improve federal cybersecurity amid the attack and multiple others.