SolarWinds hackers Nobelium, also knows as APT29 and Cozy Bear seem to have moved on to another attack campaign and are found to actively phish for victims across 150 governmental and non-governmental organizations globally.
It seems the assault on the United States and global governments by the SolarWinds attackers has not ended. Six months after wreaking havoc across the United States through one of the largest cyber espionage campaignsOpens a new window in history, the advanced persistent threat (APT) group known as Nobelium is found to have been actively targeting governmental and non-governmental organizations under a phishing campaign throughout the globe.
Also called APT29, the threat actors have been targeting research institutions and international agencies besides NGOs and governments, according to cybersecurity forensics company VolexityOpens a new window .
Microsoft Threat Intelligence Center (MSTIC) discovered that this phishing campaign, which has already targeted thousands of email accounts, has been active since January 2021, which is just a month after the breach in SolarWinds was discovered.
MSTIC said, “The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.â€
What’s more, is that Nobelium used the email marketing account of the U.S. Agency for International Development (USAID) to carry out the spear-phishing attacks against victims that also included foreign agencies.
See Also: Russian Hackers Infected Centreon Software With Malware To Target Businesses Worldwide
The Spear-Phishing Campaign by Nobelium
Specifically, Nobelium used the Constant Contact account of USAID to target at least 3000 email accounts from 150 global organizations, at least a quarter of which were involved in humanitarian, international development, and human rights activities.
The emails contain a malicious link and an HTML file which upon being clicked released an optical disc image (also known as an ISO file) that distributes a backdoor called NativeZone on the target system. Naturally, these phishing links were concealed behind the URL of the mailing service.
The HTML file induces the JavaScript code within it, to write an ISO file to disc. When the target opens this ISO file, it is mounted as an external or network drive allowing threat actors to access the infected system through a shortcut (Reports.lnk), and invoke a DLL which is actually a customized Cobalt Strike Beacon.
It also contains a PDF file positioned as a lure for victims.
Opens a new window
Infection Chain | Source: MSTIC
Attacks remained relatively dormant until April 2021, which is when Microsoft detected early escalations since the campaign began in late January this year. The real spike, however, was detected on May 25 when Nobelium scaled up the deliveries of malicious emails that appear to be originating from USAID.
As is the case with spear-phishing, the attackers try to bait the victims with a tailor-made message or a seemingly relevant file which the target is inclined to click or open. Here, they tried to lure the targets with the highly controversial election fraud allegations, supposedly by former POTUS Donald Trump.
Opens a new window
Screengrab of the Malicious Email | Source: MSTIC
Tom BurtOpens a new window , corporate vice president of customer security & trust at Microsoft, said, “Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack. We’re also in the process of notifying all of our customers who have been targeted.†However, since the email volume was high, some emails may have slipped through the defense mechanism of automated systems in place, which block malicious emails or mark them as spam.
It is unknown at this point in time whether any systems were compromised through this spear-phishing campaign.
Volexity noted that the characteristics of the attack such as the use of an archive file format with an LNK for initial payload delivery, the use of a US election-themed lure document, the use of CobaltStrike with a custom malleable profile, and the relatively widespread nature of the campaign, are eerily similar to those previously used by Nobelium.
Thus, the company is attributing with ‘moderate confidence’ that this spear-phishing campaign is the work of APT29.
APT29/Nobelium/Cozy Bear
Nobelium, classified as APT29 by the United States government, is a Russian-based APT group that is widely believed to have ties with the Russian government and its intelligence agencies. According to CrowdStrikeOpens a new window , APT29 is the same group that compromised the Democratic National Committee’s email servers in 2016 as well as the perpetrators of the 2014 White House, State Department, and US Joint Chiefs of Staff through hacks.
Believed to be formed in 2008, the APT group is the prime suspect behind the more recent massive SolarWinds software supply chain attack wherein the attackers infected an update for SolarWinds Orion, a network monitoring software used by approximately 300,000 customers. This compromised update, which included either of the multiple malware strains namely Sunspot, Sunburst, Teardrop, Raindrop, or Sunshuttle, was rolled out to and downloaded by thousands, of which 18,000 were impacted.
The SolarWinds hack remained hidden for most of 2020 until its discovery by FireEyeOpens a new window , whose line-up of internal hacking tools called Red Team was stolen. FireEye CEO Kevin MandiaOpens a new window saidOpens a new window , “The reality is: The blast radius for this, I kind of explain it with a funnel. It’s true that over 300,000 companies use SolarWinds, but you come down from that total number down to about 18,000 or so companies that actually had the backdoor or malicious code in a network. And then you come down to the next part. It’s probably only about 50 organizations or companies, somewhere in that zone, that are genuinely impacted by the threat actor.â€
The number was later reassessed to be over 200. This includes nearly a dozen U.S. federal agencies like the FBI and the Departments of Justice, State, Treasury, Homeland Security, Agriculture, Commerce, Veterans Affairs, Housing and Urban Development, and Labor, and big tech firms like Microsoft, Cisco, Intel, NVIDIA, VMware, consulting major Deloitte, cybersecurity vendors FireEye, CrowdSrike.
The victims were narrowed down by design as part of a broad cyber-espionage campaign, as confirmed by the Cyber Unified Coordination Group (UCG) consisting of the FBI, CISA, and Office of the Director of National Intelligence (ODNI) with support from NSA.
See Also: Cyberattacks on Critical Infrastructure to Worsen in 2021: Here’s How to Protect Your Data
Similarities Between SolarWinds Hack and the Spear-Phishing Campaign
“Cozy Bear’s preferred intrusion method is a broadly targeted spear-phishing campaign that typically includes web links to a malicious dropper. Once executed on the machine, the code will deliver one of a number of sophisticated Remote Access Tools (RATs), including AdobeARM, ATI-Agent, and MiniDionis,†explainedOpens a new window CrowdStrike.
Much like the SolarWinds hack, the tactics, techniques, and procedures (TTPs) of this spear-phishing campaign also involved:
- Targeting a broad attack surfaceÂ
- Use of verified and trusted mass distribution routes (software supply chain vs email marketing)
- Use of backdoors
Assuming UCG’s assessment is correct, this latest spear-phishing campaign may very well be a cyber-espionage campaign aimed at collecting sensitive information for geopolitical gains. Microsoft’s Burt adds, “This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives.â€
Closing Thoughts
The revelation of this attack campaign comes just a month before the highly anticipated summit in Switzerland, between Russian President Vladimir Putin and POTUS Joe Biden since the latter was elected.
Despite tensions running high on both sides owing to the SolarWinds hack, the ensuing sanctions on assetsOpens a new window owned by Russian citizens, the expulsion of 10 Russian diplomatsOpens a new window from the United States, the reportOpens a new window of covert bounties offered by Russia to kill U.S. soldiers, Putin’s action against domestic political opponents, and now the news of the spear-phishing campaign, the summit is expected to go ahead as planned.
“If Moscow is responsible, this brazen act of utilizing emails associated with the U.S. government demonstrates that Russia remains undeterred despite sanctions following the SolarWinds attack,†saidOpens a new window Representative Adam B. SchiffOpens a new window (CA). “Those sanctions gave the administration flexibility to tighten the economic screws further if necessary — it now appears necessary.â€
What’s necessary is the capability to tighten the security screws, which is ALWAYS necessary, especially with an adversary like Russia.
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!