According to the New York Times, Microsoft says the state-backed Russian hacker group Nobelium—the same actor behind the 2020 SolarWinds attacks—took control of the State Department’s United States Agency for International Development email system. 

This bold attack, expected to be ongoing, breached federal government supplier systems sending out official-looking emails to over 3,000 accounts across more than 150 organizations. Recipients regularly receive emails from this agency and would have no reason to believe they are malicious. These code-implanted emails give unlimited access to recipient computer systems leaving the entire agency open to data loss and network-wide risk.

It is unknown at this time how many attempts have led to intrusions. But this ongoing campaign—a Russian hacker intelligence-gathering effort targeting government agencies involved in foreign policy—points out the software supply chain security challenges many agencies and organizations face today. 

The earlier SolarWinds hack exploited a technology provider’s software update supply chain. In this campaign, hackers used the same methodology, gaining access to Constant Contact, a trusted mass email provider. In both cases, hackers undermine the technology ecosystem. 

Because the use of third-party software is now so widespread, these kinds of exploits will continue to grow. One way to address this risk is to look for vulnerabilities before they become problems. Our continuous testing platform can help mitigate security risks by allowing you to test systematically at each level of the SDLC. Hacker-powered security helps security teams increase visibility, manage costs, and address evolving threats with consolidated, scalable security solutions.

Learn more about how HackerOne can help you reduce software supply chain risk.

Posted by Charlie