Nobelium: How the CyberPeace Institute responded to news of attacks on NGOs?

Q&A with CyberPeace Institute’s Bruno Halopeau, Chief Technology Officer

 1. Firstly, tell us what was this cyberattack and what is Nobelium?

In a public communication on 25 May 2021 Microsoft’s Threat Intelligence Center announced that the group Nobelium – a major cyber hacker – had infiltrated the emailing platform of the U.S. Agency for International Development (USAID) which leads the U.S. Government’s international development and disaster assistance efforts.    

The cyber criminals used this access to build an email phishing campaign which targeted over 150 organizations worldwide including non governmental organizations (NGO’s) and civil society organizations (CSO’s). These malicious emails aimed to trick recipients into believing that this was a legitimate contact from USAID. If they clicked on the email they could have handed over sensitive information or downloaded malware (harmful software) in their systems.

At this stage, it seems that the threat actor behind this attack was also behind the SolarWinds hack revealed in December 2020.

 2. What was the CyberPeace Institute’s response when it learned of this attack? 

Importantly, we had to check that our own infrastructure was not impacted, which to the best of our knowledge was not the case. As we are not a recipient of USAID funds this was unlikely but we did a thorough analysis.

We also immediately reached out to our network to identify if any of the NGO’s and CSO’s that we work with were affected and if we could provide them with support. For those requesting our advice or support, we were able to share our knowledge about how to manage this type of cyber attack and to provide our capabilities in forensic analysis to assess whether this malware was affecting their ICT infrastructure.

 3. What should organizations be doing to protect themselves?

NGO’s and CSO’s are often ill-prepared to face cyberattacks yet their services can be critical to large groups of people. Should such organizations be disrupted by cyberattacks, these groups of people may be left vulnerable. Preparedness is key. We must assume that a cyberattack will happen and have mitigation plans in place to manage the impact of such an attack.

Specific technical mitigations steps have been detailed in Microsoft blog. New sophisticated email-based attack from NOBELIUM.

At the CyberPeace Institute we have been working with partners, developing and collecting materials which raise awareness and help address the cybersecurity needs of NGOs. This is an important step to better protect the populations they serve.  

We can be contacted by NGO’s for support and advice, and our website provides information on available resources. 

 4. Are there any lessons that can be learned from this and other similar attacks? 

Unfortunately such cyberattacks are becoming more and more frequent, including sadly targeting non governmental and civil society organizations. Organizations which should be beyond attack. We have to draw lessons from this.  

The sophistication of this attack was that the target – USAID – was then used to attempt to compromise a wide network of organizations who had little reason to question that the email was not legitimate. Vital resources of these organizations then have to be used to respond to this  crisis. As I mentioned previously, preparedness is essential as is knowing the steps that must be taken to manage the impact of cyberattacks.  The other essential aspect is caution.  If a request seems strange, even if it comes from a legitimate email address, be cautious.  

Recipients of emails should always ask themselves questions such as “does it make sense for me to receive this?”  Would this person/organization ask me to open this file? Should I call this person/organization to see if they really sent this email?  

Reaching out to organizations like the CyberPeace Institute for support can be a lifeline at such times. In addition to the information on our website, a useful resource is the Digital First Aid Kit available at This resource is a collaborative effort of the Rapid Response Network and CiviCERT

Copyright:  The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.


Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.


Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.