Microsoft has revealed that the hacking group known as Nobelium has targeted over 150 organisations worldwide in the past week, including government agencies, think tanks, consultants, and non-governmental organisations, via phishing emails. At least 25% of the targeted organisations are involved in international development, humanitarian and human rights work, but the Kremlin has said today that it does not have any information on the cyberattack and that Microsoft needs to answer more questions, including how the attack is linked to Russia.
<p>It’s worrying to see that another spear-phishing attack is taking place this week, impersonating an email marketing account of the US Agency for International Development. Unfortunately, it seems that the attacker may have had some success in breaching targets. This is yet another reminder for organisations to train their employees to recognise phishing attacks. Phishing attacks are really sophisticated and can come in many forms, such as emails, social media and text messages.</p> <p> </p> <p>Ensuring employees understand how to identify and spot red flags of a phishing campaign can reduce the risk of your organisation being affected by a cyberattack or ransomware. According to Verizon’s recent data breach report, 36% of breaches involved phishing, 11% more than last year. It makes pure business sense for everyone in their organisation to have awareness so they can confidently take action against the increasing threat of phishing by remaining alert and responding to threats appropriately.</p>
<div>The SolarWinds attack was noteworthy for its sophistication. Here, we can see the same group using a much more common tactic – a phishing campaign – but in an equally dangerous way due to the fact it is targeted at compromising government organisations. The most noteworthy aspect of this campaign is its breadth. By compromising a high-profile target – USAID – the hackers have managed to secure a launchpad to then target more than 150 organisations, across 24 countries, from an email address they will trust. Thankfully Microsoft has identified the attack and it seems that in many cases the emails will have been identified as suspicious and blocked before they got to their target. However, this is a dangerous situation – as phishing attacks are essentially a numbers game and the attackers are playing the odds. If they target 3,000 accounts, it only takes one employee to click on the link to establish a backdoor for the hackers in a government organisation. </div> <div> </div> <div><br />This is why it is so important to have a broad base level of security across all government departments, to reduce the opportunity for hackers to gain a foothold through broad, sweeping campaigns. It is also important that systems are continuously monitored to detect breaches. We have to assume that at some point these organisations will be breached so detecting and effectively responding to these types of attack becomes critical to reducing the impact and risk of further disruption inside that organisation or those they do business with.</div>
<p>Sadly, the mechanics of the modern international law is toothless to indite and prosecute a sovereign state. Thus, even if once proven that the new attack was organized by a specific country, no trial or compensation will likely take place. Sanctions and counter-sanctions are already in place since almost a decade but seem to have no effect on the surging state-sponsored hacking campaigns. The only good news is that the disastrous supply-chain attacks stimulate Western governments to increase cybersecurity spending and implementing better data protection laws and regulations. The recent Execute Order of the President Joe Biden is a good example of such positive developments in response to the attacks.<u></u><u></u></p> <p> </p> <p>Moreover, reliable attribution of these attacks to any state is somewhat problematic both technically and legally speaking. First, many nation-state actors purposely hire foreign cyber mercenaries who have no connections with their countries. Oftentimes, they deal via so-called brokerage, making attribution even harder by placing hacking orders to trusted intermediaries who later hire and pay the attackers. While the latter commonly try to mislead possible forensic investigation of the intrusion by copying attack patterns of know hacking groups or, among other things, by stealing data that they don’t really need but want to exfiltrate as if it was the primary target of the attack.</p>