Threat actor Nobeliumm, the state-backed Russian group of cybercriminals behind last year’s SolarWinds hacking campaign, has launched a new attack targeting government agencies, think tanks, consultants and non-governmental organizations, according to Microsoft and various news outlets.
In a blog post published late Thursday night, Tom Burt, Microsoft’s vice president of customer security and trust, said this wave of attacks targeted approximately 3,000 email accounts across more than 150 different organizations.
Burt wrote that the targeted victims span at least 24 countries, including those involved in international development, humanitarian and human rights work. The lion’s share of the attacks targeted organizations in the United States.
The group gained access to USAID’s Constant Contact account, a service used for email marketing, and was able to distribute authentic-looking phishing emails from there. The phishing campaign began May 25, when the group leveraged Constant Contact to masquerade as a U.S.-based development organization.
The emails from that campaign included a link that, when clicked, inserted a malicious file used to distribute a backdoor that could be used to infect other computers on the network or be used to steal data.
“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations,” Burt warned.
By piggybacking on software updates and now mass email providers, he said, Nobelium was increasing the chances of collateral damage in espionage operations and undermining trust in the technology ecosystem.
The Microsoft Threat Intelligence Center (MSTIC) posted its own blog entry detailing the specific details of the threat and advised that due to the fast-moving nature of the campaign and its perceived scope, organizations should investigate and monitor communications matching characteristics described in the report.
Specific preventive measures include enabling network protection to prevent applications or users from accessing malicious domains and other malicious content on the web, using device discovery to increase visibility into networks by finding unmanaged devices, and enabling multifactor authentication (MFA) to mitigate compromised credentials.
“It is anticipated that additional activity may be carried out by the group using an evolving set of tactics,” the blog post warned. “Some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.”
The blog post also details the evolution of the threat, which it traced back to Jan. 28, when the group was using phishing emails that leveraged the Google Firebase platform. Later the threat evolved to an HTML file attached to a spear-phishing email, and finally to a URL that led to an independent website spoofing the targeted organizations, from where the ISO file was distributed.
Microsoft published a list of indicators of compromise from the large-scale campaign, including email addresses and malicious containers, but noted that because the attack is still active, the indicators “should not be considered exhaustive” for the observed activity.
A spokesperson for the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security told The New York Times that it had been made aware of the potential compromise and was in contact with the FBI and USAID to study the attack and assist potential victims.
The revelation of the attack comes just days after the Biden administration published an Executive Order aimed at government agencies, vendors and developers, who all will have to design their products with a greater focus on security.
The EO recognizes that federal contracts for IT and OT products and services need to be updated and gives OMB 60 days to review the Federal Acquisition Regulation (FAR) and identify language that needs to be updated to require contractors to report cybersecurity incident data to the Cybersecurity and Infrastructure Security Agency (CISA).
“Nation-state cyberattacks aren’t slowing,” Burt wrote in Microsoft’s blog post on Thursday. “We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.”
He called on the security community to rally around progress made by the Paris Call for Trust and Security in Cyberspace, and more widely adopt the recommendations of the Cybersecurity Tech Accord and the CyberPeace Institute, but warned additional work needed to be done.
Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, a Washington, D.C.-based provider of cloud identity security solutions, told Security Boulevard that if one looks at why many of the breaches over the past few years have occurred, it comes down to three major factors: human factors, identities and credentials and vulnerabilities.
“The ultimate goal is to compromise systems to commit financial fraud or to steal identities in order to access the company that the target was entrusted to protect,” he said. “When identities are stolen, it provides the attacker with the means to bypass the traditional security perimeter undetected, and if that identity has access to privileged accounts, they can easily carry out insider threats.”
Hank Schless, senior manager of security solutions at Lookout, a San Francisco-based provider of mobile security solutions, said the best first-line defense against an attack like this is training.
“Be sure to constantly run security training and include mobile in those sessions,” he said, noting simple steps such as always checking the sender’s reply-to address or asking IT before replying to a message could save your organization from being the victim of the next big data breach.
He warned any text, email, WhatsApp message or any communication that creates a time-sensitive situation should be a red flag.
“Approach these messages with extreme caution or go straight to your IT and security teams to have them vet it first,” Schless said.