Microsoft reported that the organization behind the SolarWinds supply chain attack last year was launching an advanced, widely spread email campaign that provided malicious links and impersonated the United States Agency for International Development (USAID).
Microsoft’s Threat Intelligence Center (MSTIC) stated that it has been tracking this activity, operated by Nobelium, since January 2021, and it has evolved as the team attempts to develop new strategies. To date, phishing attacks have targeted 3,000 accounts of more than 150 organizations in multiple vertical industries. The victims are in 24 countries, although most of the attacks are directed at the United States.
Nobelium is an organization that has established ties with Russia and has historically targeted organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. In this case, Microsoft reports that at least a quarter of its goals are related to international development, humanitarian, and human rights work.
Its latest campaign utilizes Constant Contact, a legitimate mass mailing service for email marketing. Due to the large number of e-mails distributed in this campaign, automatic e-mail threat detection marked many malicious e-mails as spam. However, due to configuration and policy settings, some automatic detection systems may have effectively delivered them.
Microsoft reported that attackers were able to control USAID’s constant contact account, allowing them to send seemingly real emails from USAID to thousands of victims. The May 25th campaign has many iterations; in one example, the email appears to be from USAID, but has a real sender email address that matches Constant Contact.
Microsoft’s corporate vice president for consumer safety and trust, Tom Burt, wrote in a blog: “The Nobel Prize was launched this week by obtaining a constant contact account from the US Agency for International Development.” Burt pointed out that Microsoft Target customers are being notified that there is no indication that these attacks used vulnerabilities or flaws in Microsoft products and services.
Using “persistent contact” can enable an attacker to hide the link behind the email service URL. Officials noted that many e-mail and document service providers offer a tool to simplify link sharing and provide information about who clicked these links and when they clicked them.
When clicked, the malicious link of the email results in the delivery of an ISO file containing a malicious LNK file, a malicious DLL file, and a legal bait that references foreign threats to the 2020 U.S. federal election. Volexity researchers explained this threat in a blog post Published weekly. Microsoft noticed that the DLL is a custom Cobalt Strike Beacon loader, which is called NativeZone.
If deployed successfully, these payloads will allow the attacker to remain persistent on the infected system, allowing them to move laterally, steal data, deploy other malware, and infect other computers on the network.
MSTIC wrote in another blog post: “Microsoft security researchers believe that Nobelium’s spear phishing operations are recurring, and the frequency and scope have increased.” He shared the details of this attack and its evolution and Mitigation measures. “It is expected that the team can use a set of evolving strategies to carry out other activities.”
Take a closer look at Nobelium’s strategy
Burt explained that there are several reasons why this active campaign is so compelling. When considering the SolarWinds attack, it is clear that Nobelium aims to break through trusted technology providers and infect its customers.
Burt wrote: “Through piggy with software updates and now a large number of email providers, Nobelium increases the chance of collateral damage during espionage and undermines trust in the technology ecosystem.”
Unlike the attack on SolarWinds, this campaign emphasized the consistency of cyber espionage. John Hultquist, vice president of analysis at Mandiant Threat Intelligence, said that SolarWinds’ invisibility and discipline are eye-catching, but loud and widespread spear phishing attacks used to be the “business card” of SVR operators who launched noisy phishing activities. The Russian Foreign Intelligence Service (FBI) often effectively enters major government agencies and other targets.
He pointed out: “Despite the rapid discovery of spear-phishing emails, we hope that any compromised actions taken by these actors will be skilled and secretive.” As the supply chain attacks gradually weaken, this new confirmation The battle seems to have accelerated, which shows that these threats will not disappear anytime soon.
Holtquist said: “Given the unscrupulous nature of this incident, it seems that SVR is not prepared to curb its cyber espionage activities.”
Kelly Sheridan (Kelly Sheridan) is a contributing editor of “Dark Reading”, focusing on cybersecurity news and analysis. She is a business technology news reporter. She previously reported on her in InformationWeek, where she reported on Microsoft, and reported on finance and economics in Insurance&Technology.