Last week, Microsoft shared some details on a massive phishing campaign targeting government agencies, think tanks, consultants, and non-governmental organizations. A threat actor behind this campaign is believed to be Nobelium (aka Cozy Bear, APT29, or The Dukes), the same group that allegedly was responsible for last year’s SolarWinds hack.
The campaign involved Nobelium compromising the Constant Contact account of the United States Agency for International Development (USAID), which is responsible for civilian foreign aid and development assistance. The attackers used the compromised account to distribute legitimate-looking phishing emails that contained a link, which, when clicked, inserted a malicious file that planted a backdoor dubbed NativeZone onto a victim’s system.
At the time, Microsoft said the attacks targeted around 3,000 email accounts at more than 150 different organizations. However, according to an alert from the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the attackers sent phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs.
“A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs,” the two agencies said.
The email contained an URL that directed the user to a malicious page serving an infected ISO file.
“The ISO contains a DLL (a custom Cobalt Strike Beacon version 4 implant), a malicious shortcut file that executes the Cobalt Strike Beacon loader and a PDF titled “Foreign Threats to the 2020 U.S. Federal Elections” with the filename “ICA-declass.pdf.” The PDF file is actually a copy of the Intelligence Community Assessment under Executive Order 13848, which is available online from official sources,” reads the advisory.
The alert doesn’t mention the link to the SolarWinds attack and it doesn’t name the government agency being impersonated.
“CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time. CISA and FBI will update this Joint Cybersecurity Advisory as new information becomes available,” the two agencies said.
CISA and FBI have also shared Indicators of Compromise (IoCs) that organizations can use to detect the attacks.