Feds Seized 2 Cyber Domains of Hackers/SolarWinds

DOJ:

Domain Names Were in Part Used to Control a Cobalt Strike Software Tool that the Actors Implanted on Victim Networks

WASHINGTON – On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division. “Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”

“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia. “As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”

“Friday’s court-authorized domain seizures reflect the FBI Washington Field Office’s continued commitment to cyber victims in our region,” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office. “These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.”

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division. “We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities. More here.

Solarwinds Management Tools - Full Control Networks source

More details on the backstory of SolarWinds

“This release includes bug fixes, increased stability and performance improvements.”

The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.

Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.

The routine update, it turns out, is no longer so routine.

Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.

“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”

On Thursday, the Biden administration announced a roster of tough sanctions against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.

NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.

Hunter’s Baby Mama was Actually on the Payroll

Until Hunter took her off the payroll and canceled her health insurance after the baby was born….

The former stripper who bore Hunter Biden’s out-of-wedlock child — and who he claims that he has no memory of meeting — was on his consulting firm’s payroll during her pregnancy, text messages retrieved from his laptop reveal.

And the first son made sure she was booted off the company insurance plan months after she gave birth, according to the texts.

The messages, which are contained on Hunter Biden’s abandoned laptop, shed new light on the relationship between him and Lunden Roberts, who gave birth to their daughter Navy Joan Roberts in August of 2018, the Daily Mail reported Wednesday.

Roberts messaged Biden on July 24 of that year to let him know that their child’s due date was Sept. 8. (“Amoeba DD Sep 8, 2018 All Good,” she wrote.), the Mail reported. The message received no response from Hunter.

Fifteen days later, on Aug. 8, Roberts messaged him again.

“Reached out a few times, it’s clear you don’t want to be reached,” she wrote. “Need to talk to you. If you feel the need to reach out, my line is always open. Hope all is well.”

Again, Biden did not respond. Screenshots taken by the Mail showed that message appeared four times, though it’s not clear whether Roberts actually sent the message four times.

That December, Hunter Biden messaged assistant Katie Dodge asking for information about his firm, Rosemont Seneca.

“And just for clarification who is pay roll paid to now and for past nine months?” he asked, adding in subsequent messages, “So when you took what’s her name off and re directed her income did it also End my insurance.”

“Past nine months has been you, me, Lunden, Hallie, Liz & Erin,” Dodge responded. “But currently only you me & Erin.”

Dodge later reassured Hunter: “No, Lunden’s removal doesn’t jeopardize insurance.”

Roberts slapped Hunter Biden with a paternity suit in May 2019. The suit was settled in March of last year with Biden agreeing to pay an undisclosed monthly sum in child support and health insurance premiums. More here from the NY Post

*** Hunter Biden subpoena seeks info on Burisma, other entities source

Related reading: Dem Lobbyists Under Investigation over Work for Hunter Biden Linked Ukrainian Energy Firm

There is more actually and this deals with Hunter’s salary. It was cut in half because dad was no longer Vice President…..

President Joe Biden’s son Hunter had his salary cut by the Ukrainian energy company that put him on their board while Joe served as President Barack Obama’s vice president — just two months after the end of the Obama administration.

A new book from New York Post columnist Miranda Devine includes an email sent to Hunter on March 19, 2017 — two months after President Donald Trump was inaugurated — that asked the younger Biden to sign a new director’s agreement. The email, sent by Burisma executive Vadym Pozharskyi, stated that “the only thing that was amended is the compensation rate.”

“We are very much interested in working closely together, and the remuneration is still the highest in the company and higher than the standard director’s monthly fees. I am sure you will find it both fair and reasonable,” the email said.

Prior to the email, while Joe Biden was vice president, Hunter was paid $83,333 a month to sit on Burisma’s board. After the new agreement was signed, his compensation was slashed by half, to $41,500. To be sure, still an exorbitant monthly sum for someone with no qualifications to sit on the board, but far less than the $1 million-a-year salary he was commanding.

The email, published by the Post, contains no documented reason for the pay cut. As Devine wrote, the “only change in circumstance appears to be that Hunter’s father was no longer in office.” Hat tip to The Daily Wire.

Hunter resigned from the board in April 2019 when his continued employment caused headaches for Joe’s presidential campaign.

Devine added that this email, as well as invoices and other emails, were included on the damaged laptop obtained by the Post ahead of the 2020 election. The Post reported on the contents of the laptop, but the story was suppressed by social media platforms and the mainstream media.

America First Must Build a New Shipping Canal for the Supply Chain

Since 2020 up to now, we in America have suffered through supply chain shortages adding in the matter of ransomware of the Colonial pipeline and now the largest meat processor.

A cyberattack on JBS, the largest meat producer in the world, forced the shutdown of American slaughterhouses, and the closures may be spreading. JBS’s five biggest beef plants in the U.S. halted processing following the weekend attack, equal to one-fifth of all of America’s meat production. Slaughter operations across Australia were also down and one of Canada’s largest beef plants was idled. The prospect of more extensive shutdowns is upending agricultural markets and raising concern about food security as hackers increasingly target critical infrastructure. Livestock futures slumped while pork prices rose. JBS told the White House that the cyberattack, like several previous ransomware assaults, probably originated in Russia.

There are shortages of chicken, chlorine, flour, lumber, computer chips, rare earth minerals like cobalt, rental cars, palm oil, truck drivers, diapers and appliances to list a few. Just imagine the impact of pharmaceuticals via China.

Consider the supply chain dangers if sea shipping was slowed or stopped. Consider the Panama Canal. Why worry?

China is the short answer. And China hates the United States.

In part:

Beijing is currently the second or third largest trading partner with the countries of Central America.  Chinese investment in Central America is present in infrastructure projects in Honduras, Nicaragua, Costa Rica, and Panama, and there are plans for further investment in El Salvador and Guatemala.  Excluding a contemplated US $50 billion dollars in a canal project in Nicaragua, Chinese investment in Central American infrastructure has totaled approximately US $2 billion thus far.

In a further demonstration of growing ties between the PRC and the countries of Central America, Costa Rica, Panama, and El Salvador have each broken relations with Taiwan to establish diplomatic ties with China.  Other countries in the region could soon follow suit.

Panamanian “Panda Bonds”

Sino-Central American investment is being actively pursued in Panama.  The country is one of the nations in Latin America that is part of an ambitious program that Beijing has undertaken in the region.

The PRC’s “Silk Road” initiative is a trading and infrastructure plan that aims to connect Asia, Europe, Africa, and Latin America in the same way that the trade route existed during ancient times.  In addition to this initiative, further Chinese investment in Central America will result from the Panamanian government’s issuance of US $500 million of “Panda Bonds” in 2018.  Panda Bonds are Chinese renminbi-denominated bonds from a non-Chinese issuer that are sold into the Chinese market.  Panama issued them in order to take advantage of China’s lower borrowing costs.

***

China’s advancement in Central America dates back to 2007, when Costa Rica became the first Central American country to establish diplomatic relations with Beijing. Since then, economic relations between both countries have developed, helping to promote China’s regional brand. Economically, China has presented itself as an attractive partner. In 2008, China purchased Costa Rican bonds in excess of $300m, offered the country aid worth $130m, and funded the $105m construction of the Estadio Nacional. Meanwhile, on March 2 Chinese state media claimed that China will finance the expansion of a highway connecting Costa Rica and the Caribbean.

Chinese activity in Costa Rica is not limited to finance. In terms of culture, students at the University of Costa Rica can study Chinese and enrol in Chinese cultural programmes. The Chinese government has also promoted the development of Chinatown in San José, Costa Rica’s capital.

What is the solution?

America First should consider mobilizing a real infrastructure operation that would build a new shipping canal that would be technologically more advances and handle larger ships. Where to put it? Nicaragua.

Really? Yes, beat China at their own game and do it fast. The Nicaragua Canal was proposed and backed by Chinese investors and was to be completed in 2020 at an estimated cost of $50 billion.

Nicaragua Canal Proposed Routes

Can you see the natural location for such a shipping canal?

This would also stabilized Latin American countries with economic space and stem the immigration chaos. This time, don’t give the canal away either. The cost? Perhaps a mere $15 billion and these days that is much less than the Biden administration budget has proposed to spend…that pesky $6 trillion.

Has China placed some military operatives in Latin America to protect Chinese investments otherwise known as debt trapping? Seems a legit question especially when the left-leaning think tank Foreign Policy Magazine explains the context just as recently in June of 2020.

Furthermore, Iranian warships are headed to Venezuela with 7 high speed missile boats on board. Additionally, China continues to make plays in the energy sector in Cuba. More debt trapping? Yes.

The America First Policy Institute needs to do some immediate forecasts for national security reasons. The AFPI, which holds a stellar staff list has one particular section called ‘Center for New Frontiers’.

America was not founded to restore an imagined past, but to move its people into a bright and brilliant future. In this first half of the twenty-first century, the United States stands on the precipice of an array of extraordinary possibilities. Dreams from our yesterdays — interplanetary travel, autonomous vehicles, subterranean transit systems, artificial intelligence, 3D printing, organ regeneration, extraordinary new power sources, and beyond — are poised to enter our tomorrows. The America First Policy Institute (AFPI) will research and develop policies that nurture America’s experimental spirit.

A new infrastructure plan such as a shipping canal is just the cure for future supply chain protections and stabilizing countries in our own hemisphere when other key industries and manufacturing must relocate to either or both Central America and back to the United States.

Fauci Lands Book Deal, What about Wuhan?

Dr. Anthony Fauci landed a book deal and will be the subject of a documentary featuring his work during the COVID-19 pandemic despite his constant flip-flopping on virus-related topics such as prolonged lockdowns, school reopenings, and the origins of the coronavirus.

“Expect the Unexpected: Ten Lessons on Truth, Service, and the Way Forward,” the National Institute of Allergy and Infectious Diseases (NIAID) director’s book, will be published by National Geographic Books and available to the public by as early as November 2.

“In his own words, world-renowned infectious disease specialist Anthony Fauci shares the lessons that have shaped his life philosophy, offering an intimate view of one of the world’s greatest medical minds as well as universal advice to live by,” the book description on Amazon reads. More book details here.

Dr. Fauci is the highest paid government employee and frankly should be prosecuted that is before he is fired.

*** Fauci said he tested negative for coronavirus Saturday ...

Related reading:

In a newly resurfaced paper from 2012, Dr. Anthony Fauci argued that the benefits of gain-of-function research are worth the increased risk of a potential pandemic-causing lab accident.

The Weekend Australian unearthed a paper Fauci wrote for the American Society for Microbiology in October 2012 in which he argued in support of gain-of-function research. Such research involves making viruses more infectious and/or deadly. Experts have raised the possibility that the COVID-19 pandemic could have originated from a potential lab leak at the Wuhan Institute of Virology in Wuhan, China, where gain-of-function experiments on bat coronaviruses have been conducted.

***

Here is a tip sheet for the gigantic number of questions that still need to be asked about the China virus.

Since we don’t trust U.S. media sources and rightly so, it is prudent to go elsewhere in the world and learn what other experts know. Additionally, it is important to add in other U.S. agencies that have a conduit to all things China virus.

Consider the following below:

  1. How about USAID?

    PREDICT is enabling global surveillance for pathogens that can spillover from animal hosts to people by building capacities to detect and discover viruses of pandemic potential. The project is part of USAID’s Emerging Pandemic Threats program and is led by the UC Davis One Health Intitute.

    PREDICT was initiated in 2009 to strengthen global capacity for detection and discovery of viruses with pandemic potential that can move between animals and people. Those include coronaviruses, the family to which SARS and MERS belong; paramyxoviruses, like Nipah virus; influenza viruses; and filoviruses, like the ebolavirus.

    Working with partners in over 30 countries, the project is investigating the behaviors, practices and ecological and biological factors driving disease emergence, transmission and spread using the One Health approach.

    Through these efforts, PREDICT has improved global disease recognition and has developed strategies and policy recommendations to minimize pandemic risk. Read more here.

  2. From a media source in India in part:This research paper has been published by a newspaper in Australia. It has been said that the discussion of using the coronavirus as a biological weapon started in China in 2015 itself. At that time, scientists of China’s People’s Liberation Army (PLA) and senior health officials in China had prepared a research paper, titled “The Unnatural Origin of SARS and New Species of Man-Made Viruses as Genetic Bio-weapons”.

    This means that in the year 2019, when the first case of coronavirus came to light in the city of Wuhan, China, a research paper was already prepared 4 years before that and it was prepared by the Chinese army scientists and senior health officers. More details here.

  3. How about a media source from Taiwan?TAIPEI (Taiwan News) — Amid concerns about the safety and efficacy of Sinopharm’s COVID-19 vaccine, the history of the company’s lab in Wuhan has raised suspicions among biowarfare experts, the U.S. government, and the Taiwanese military over whether it continues to serve as a dual-use biological warfare (BW) facility for the People’s Liberation Army (PLA).

    In 1993 and again in 1995, China declared the Wuhan Institute of Biological Products (WIBP), the hub of Sinopharm’s COVID-19 vaccine development, to be one of eight dual-use BW research facilities under its “national defensive biological warfare R&D program.” Although China has denied having an “offensive” biological warfare program since signing the Biological and Toxin Weapons Convention (BTWC), also known as the Biological Weapons Convention (BWC), in 1984, the U.S. State Department in 2005 alleged that “China maintains some elements of an offensive [biological weapon] capability in violation of its BTWC obligations” and repeated the same charges in 2010, 2012, and 2014. The .pdf summary is found here –> https://idsa.in/system/files/jds/jds_9_2_2015_DanyShoham.pdf

  4. How about British Intelligence?The former head of Britain’s Secret Intelligence Service (MI6), Sir Richard Dearlove, said that the question of a lab leak has become an “intelligence issue” in which British spies may need to “incentivise” defectors within the communist country to come forward and reveal the truth of the origin of the Wuhan virus.

    A senior Whitehall security source told the Daily Telegraph — a newspaper with close ties to the ruling Conservative government — that British intelligence investigators are working alongside their American counterparts to uncover the real origin of the pandemic.

    “We are contributing what intelligence we have on Wuhan, as well as offering to help the American to corroborate and analyse any intelligence they have that we can assist with,” said the source.

    “What is required to establish the truth behind the coronavirus outbreak is well-sourced intelligence rather than informed analysis, and that is difficult to come by.”

    Sir Richard Dearlove, who has been a vocal proponent of the idea that the virus emanated from the Wuhan laboratory, said that many scientists refrained from backing the idea out of fear of appearing to side with former President Donald Trump. source

  5. How about Ft. Detrick? That is the location for the National Biodefense Analysis and Countermeasures Center, which by the way is under the supervision of DHS…  NBACC’s 160,000 square-foot facility and 51,927 square feet of lab space includes two centers: the National Bioforensic Analysis Center (NBFAC), which conducts technical analyses in support of federal law enforcement investigations, and the National Biological Threat Characterization Center, which conducts experiments and studies to better understand biological vulnerabilities and hazards. NBACC is committed to maintaining a culture of safety. Its fully accredited, state-of-the-art lab facilities are at the biosafety levels (BSL) 2, 3, and 4, providing the highest standards of safety and experimental capability available. Its BSL-4 accreditation allows NBACC to perform R&D on pathogens for which no vaccine or treatment exists and makes it one of seven such facilities in the United States. NBACC is a partner in the National Interagency Confederation for Biological Research at Fort Detrick. This consortium includes the Centers for Disease Control and Prevention, Food and Drug Administration; National Cancer Institute; National Institute of Allergy and Infectious Diseases Integrated Research Facility; Naval Medical Research Center Biological Defense Research Directorate; U.S. Army Installation Management Command; U.S. Army Medical Research and Materiel Command; U.S. Army Medical Research Institute of Infectious Diseases; and U.S. Department of Agriculture Foreign Disease-Weed Science Research Unit. As an interagency partner, NBACC coordinates a range of scientific, technical, operational, and infrastructure-related activities that enhance scientific collaboration and productivity. The fact sheet is here.
  6. We have forgotten the Chinese scientists and other operatives working at U.S. universities or other American agencies. Harvard University Professor and Two Chinese Nationals Charged in Three Separate China Related Cases
  7. Anyone asking questions of the Rocky Mountain Laboratories in Montana? NIAID’s Rocky Mountain Laboratories (RML) in Hamilton, Montana, produced images of the novel coronavirus (SARS-CoV-2, previously known as 2019-nCoV) on its scanning and transmission electron microscopes on Tuesday, Feb. 11, 2020. SARS-CoV-2 causes COVID-19 disease, which has grown to be a global public health emergency since cases were first detected in Wuhan, China, in December 2019. RML investigator Emmie de Wit, Ph.D., provided the virus samples as part of her studies, microscopist Elizabeth Fischer produced the images, and the RML visual medical arts office digitally colorized the images.
  8. There is the University of Texas, the University of Alabama and last but not least the University of California at Irvine.

There are likely around thousands that know more but they remain silent. Why?

 

SolarWinds Strikes Again and Again

Primer: The House Oversight and Government Reform Committee, chaired by Carolyn Maloney (D-NY) only held one meeting on SolarWinds and none related to the  DarkSide both of which have caused major interruptions in the supply chain and national security. It was last February that the committee hosted a session via WebEx with a few witnesses of which nothing was determined or solved.

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said.

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.” More here.

***

Solarwinds Management Tools - Full Control Networks source details

New details are emerging from a cyberattack that hit about 3,000 email accounts and 150 government agencies and think tanks spanning 24 countries, including the U.S., this week.

Microsoft on Thursday evening announced that Nobelium, a Russian group of threat actors that targetted software company SolarWinds in 2020 as part of a months-long hacking campaign, recently attacked more U.S. and foreign government agencies using an email marketing account of the U.S. Agency for International Development (USAID).

USAID is aware of the attack, and a “forensic investigation into this security incident is ongoing,” USAID acting spokesperson Pooja Jhunjhunwala said in a statement to FOX Business. “USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said.

***

Source: The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia, in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation; I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred, and I don’t think they’re likely to be deterred.”

Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft’s corporate vice president for customer security and trust, Tom Burt, wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.