Russian Hackers Target Government Agencies, Think Tanks and NGO’s

Fortify Security Team
Jun 1, 2021

Nobelium’s Expanding Cyber Campaign: A Deep Dive into the Russian-based Hackers’ Latest Attacks

In recent years, cyber threats have become a significant concern for governments, organizations, and individuals worldwide. One of the most notable cyber-espionage campaigns was the SolarWinds attack, orchestrated by Russian-based hackers. These hackers, identified as Nobelium, have not rested on their laurels. Instead, they have initiated a new wave of cyber-attacks, with their crosshairs primarily set on government agencies, think tanks, and non-governmental organizations (NGOs). Microsoft, a leading tech giant, unveiled these findings on Thursday, shedding light on the depth and breadth of Nobelium’s latest endeavors.

How Nobelium Accessed USAID’s Communication Channels

Nobelium’s recent campaign was launched after it successfully infiltrated an email marketing service utilized by the United States Agency for International Development (USAID). Microsoft’s investigation revealed that the hackers accessed USAID’s account with Constant Contact, a renowned mass mailing service. This breach allowed them to send out deceptive emails that appeared to be official communications from USAID. Some of these emails carried headlines such as “special alert” and provocatively claimed, “Donald Trump has published new documents on election fraud.” However, these emails were far from benign. They contained links that, when clicked, redirected users to infrastructure controlled by Nobelium. This infrastructure was designed to deliver malicious files to the unsuspecting user’s device.

The Objective and Impact of the Attack

Tom Burt, Microsoft’s Vice President of Customer Security and Trust, highlighted in a blog post that these attacks seem to be an extension of Nobelium’s ongoing efforts. Their primary objective appears to be targeting government agencies associated with foreign policy, aiming to gather intelligence. This recent campaign has been particularly expansive. Over 3,000 email accounts spanning 150 organizations have been targeted. While a majority of these organizations are based in the United States, the attack’s reach has extended to at least 24 countries. Notably, about 25% of these organizations are engaged in sectors such as international development and human rights advocacy.

The modus operandi of Nobelium in this campaign has been the use of phishing emails. These emails are meticulously crafted to appear legitimate, luring the recipient into downloading malicious files. Microsoft’s research indicates that this email campaign commenced in January and has seen several evolutions since its inception.

The Aftermath and Microsoft’s Response

Once these malicious files are downloaded, they grant Nobelium persistent access to the compromised systems. This level of access can lead to data breaches, espionage, and other malicious activities. Microsoft’s Threat Intelligence Center played a pivotal role in detecting this attack, emphasizing their commitment to tracking nation-state actors and their cyber campaigns.

It’s crucial to note that, as of now, Microsoft believes that there isn’t a vulnerability within its products or services related to this attack. This assertion is significant, especially considering the magnitude of the SolarWinds attack, which compromised numerous federal agencies and multiple companies. Reflecting on the SolarWinds incident, Microsoft President Brad Smith described it as “the largest and most sophisticated attack the world has ever seen.”


The evolving nature of cyber threats, as demonstrated by Nobelium’s continuous campaigns, underscores the importance of robust cybersecurity measures. Organizations, irrespective of their size or domain, need to be vigilant, adopt advanced security protocols, and continuously educate their workforce about the dangers of phishing and other cyber threats. As cyber adversaries become more sophisticated, the global community must unite in its efforts to safeguard digital assets and infrastructure.

Recent Posts

Ransomware Attacks on Agricultural Cooperatives

The Federal Bureau of Investigation (FBI) is informing Food and Agriculture (FA) sector partners that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss,...

SIM Swapping Attacks to Steal Cryptocurrency to Become Prominent

Unidentified actors are conducting subscriber identity module (SIM) attacks and stealing cryptocurrency from victims, resulting in financial loss to cryptocurrency investors. Reporting indicates, unidentified actors withdrew cryptocurrency worth over $600,000 from...

Stabbing Attack Injures Multiple Victims on Passenger Train

A yet to be identified male attacker, armed with a knife, stabbed at least 10 passengers on board a commuter train in the Japanese capital, Tokyo, on Friday night, August 6. The attack occurred on an evening commuter train in Tokyo's Setagaya ward, which is located in...

Beware of Grandparent Fraud Scheme Using Couriers

Criminal actors target elderly U.S. citizens in a grandparent fraud scheme in which they arrange for couriers to pick up bail money in person at the victim’s residence. Criminals telephonically contact their victims and pose as a grandchild, or another family member,...