Microsoft says hackers who compromised SolarWinds breached three new victims

Microsoft says hackers who compromised SolarWinds breached three new victims

Nobelium, a Russia-linked hacking group believed to have compromised SolarWinds network monitoring software in order to plant malicious software on the company customers’ networks last year, has returned with a new series of attacks, Microsoft said in a new report.

The tech giant said its investigation showed that the group, also known as APT29, Cozy Bear, and The Dukes, used password spray and brute-force techniques to compromise victims. While Nobelium’s recent activity was largely unsuccessful, the hackers managed to breach networks of three new entities, Microsoft said.

The attacks targeted mostly IT companies (57%), followed by government (20%), and non-governmental organizations and think tanks, as well as financial services.

“The activity was largely focused on US interests, about 45%, followed by 10% in the UK, and smaller numbers from Germany and Canada. In all, 36 countries were targeted,” Microsoft noted.

The Redmond-based company also said it has found information-stealing malware on a machine belonging to one of its customer support agents with access to basic account information for a small number of customers. The hackers used this information to conduct highly-targeted attacks as part of their broader campaign. The access to the machine has since been removed and the customer’s agent device has been secured, Microsoft said.

Last month, Microsoft reported that Nobelium hacking group targeted over 150 organizations across at least 24 countries using a hacked USAID (United States Agency For International Development) account at a mass email marketing company Constant Contact to send phishing emails and deploy the NativeZone backdoor capable of stealing information.

Back to the list

Latest Posts

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

UAC-0219 targets Ukraine’s government agencies with WRECKSTEEL stealer

This activity has been ongoing since at least the fall of 2024.
3 April 2025
Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

Police crackdown shuts down major Kidflix platform hosting child sexual abuse material

As a result of the operation, 79 arrests were made, 1,393 suspects identified, and over 3,000 electronic devices seized.
2 April 2025
Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

Ongoing campaign targets exposed PostgreSQL instances to deploy crypto miners

The campaign could involve over 1,500 compromised systems.
2 April 2025