A new phishing campaign conducted by the same Russian group responsible for the SolarWinds intrusion has been ongoing for several months and in some cases leveraged access to the legitimate email marketing account for the United States Agency for International Development and targeted more than 150 government agencies, humanitarian organizations, and NGOs in more than 20 countries.
The campaign began in January and has evolved several times since then, with the most recent wave using the Constant Contact account of USAID to send spear-phishing emails to a subset of targets. The messages include a lure related to election fraud documents and if the victim clicks on the link, the eventual result is the installation of several malicious payloads that give the actors persistent access to the system. The phishing attacks are the work of APT29, the group that the U.S. government blamed for the SolarWinds intrusion last year. The group is called Nobelium by Microsoft and is thought to be associated with Russia’s Foreign Intelligence Service, or SVR. The new activity is separate from the operation that targeted SolarWinds and other companies last year, and researchers at Microsoft Threat Intelligence Center and Volexity found that the group was using some clever methods to get the malware payloads past detection systems.
The first wave of the campaign in January essentially was a test phase, with the attackers only sending the tracking section of the emails to see who was clicking on them.
“In the next evolution of the campaign, MSTIC observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” Microsoft’s team said in a post on the campaign.
Neither Microsoft nor Volexity identified any of the agencies or organizations that were targeted in the campaign, but the phishing lure and the sectors of the targets suggest that the actors were specifically after access to government and government-adjacent networks. In the months following the disclosure of the SolarWinds intrusion, the Biden administration took a number of actions designed to punish and deter the Russian government, including formally attributing the operation to the SVR and expelling several Russian diplomats. But those actions don’t appear to have moved the group off its agenda.
“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said.
“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.”
The Volexity researchers did not directly attribute the new campaign to APT29, but said that it does share quite a few characteristics with past campaigns by that group.
“After a relatively long hiatus with no publicly detailed spear phishing activity, APT29 appears to have returned with only slight changes to its historical TTPs. In this instance, the attacker purports to be from USAID, enticing victims into clicking an embedded file to download and execute a malicious ISO file. In doing so, the CobaltStrike Beacon implant is executed, providing remote access to the attackers,” Volexity researchers said.
“At the time of writing, all files involved have relatively low static detection rates on VirusTotal. This suggests the attacker is likely having some success in breaching targets.”