A threat actor that is thought to be responsible for the widespread SolarWinds supply chain compromise last year, has targeted over 150 organizations across at least 24 countries, Microsoft says.
In a blog post published Thursday Microsoft vice president Tom Burt revealed that the company detected a wave of cyberattacks conducted by Nobelium, the same threat actor that is believed to have compromised SolarWinds. The attacks targeted around 3,000 email accounts at more than 150 different organizations, including government agencies, think tanks, consultants, and non-governmental organizations.
“While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt wrote.
In the campaign, which Microsoft has been tracking since January 2021, the hackers have been observed gaining access to the Constant Contact (a service used for email marketing) account of the United States Agency For International Development (USAID). The attackers then used the compromised account to distribute legitimate-looking phishing emails that contained a link, which, when clicked, inserted a malicious file that planted a backdoor dubbed NativeZone onto a victim’s system. This backdoor allows attackers to perform various activities ranging from stealing data to infecting other machines on a network.
The hackers leveraged the Google Firebase platform to stage an ISO file containing malicious content, while also leveraging this platform to record attributes of those who accessed the URL, according to the Microsoft Threat Intelligence Center (MSTIC).
“In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” MSTIC wrote.
The researchers also noted that if the device targeted was an Apple iOS device, the user was redirected to another attacker’s controlled server, which served the since-patched zero-day exploit for CVE-2021-1879.
More technical details and indicators of compromise (IOCs) related to this campaign can be found in the MSTIC blog post here.
