Table of Contents
According to Microsoft, the threat actor who breached SolarWinds’ supply chain has returned and is attacking government agencies, think tanks, consultants, and NGO’s. The threat actor has attacked such agencies and institutions in 24 nations, including the U.S. “This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Tom Burt, Microsoft’s Corporate Vice President for Customer Security and Trust, said. “At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work.” Security researchers have identified numerous actors responsible for the intrusions, including Nobelium, UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), and Dark Halo (Volexity). According to reports, the latest intrusion in a series began on Jan. 28, 2021, before reaching a new level on May 25. Constant Contact, a legitimate mailing service, was exploited to conceal malicious activity and masquerade as USAID, a U.S.-based development organization, for a large-scale phishing campaign that distributed phishing emails to organizations and industry verticals.
“Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID,” Burt said. The emails included a link that, when clicked, brought up a malicious optical disc image file (“ICA-declass.iso”) to inject a custom Cobalt Strike Beacon implant named NativeZone (“Documents.dll”). As observed in previous incidents, the backdoor comes integrated with features such as lateral movement, data exfiltration, and the ability to install additional malware. Nobelium experimented with profiling the target machine after the email recipient clicked a link in a variation of the targeted attacks detected before April. When the underlying operating system turned out to be iOS, the victim was redirected to a second remote server to download the exploit for the then-zero-day CVE-2021-1879. On March 26, Apple acknowledged that the flaw may have been actively exploited. An estimated 600 nongovernmental organizations (NGOs), research institutions, government entities, and international agencies from the United States and Europe were targeted for the campaign, according to a report by Volexity. As evidenced by the latest attacks, the threat actor is using unique infrastructure and tools to attack each target, which gives them a high level of stealth and allows them to remain undetected for a long period of time. The constantly evolving nature of Nobelium’s tradecraft may also be a direct response to SolarWinds, suggesting the attackers may continue to experiment with their tactics to meet their objectives.”When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Burt said. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”