The Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale spear phishing campaign driven by Nobelium — the threat actors behind the recent SolarWinds attacks and the SUNBURST backdoor used in those strikes.
Nobelium continues its attacks on U.S. agencies and the private organizations in their sphere. The group managed to hijack an email distribution account used by the United States Agency for International Development (USAID), sending thousands of authentic-looking but malware-laden messages to a variety of human rights groups, think tanks, and other nonprofit organizations.
What we know about Nobelium’s latest attack
Microsoft states that they’ve been tracking this new campaign since January, watching as the attackers experimented with various tactics on a smaller scale. On May 25, the campaign escalated significantly as Nobelium gained control of USAID’s account on the legitimate mass-mailing service Constant Contact. The group used this trusted account to distribute spear phishing messages with malicious URLs that, if clicked, would distribute a new backdoor that Microsoft is calling NativeZone — enabling attackers to steal data and spread more malware.
Approximately 3,000 individual accounts across more than 150 organizations were targeted. Most victims were U.S.-based, but the list spans at least 24 countries. At least one quarter of targeted organizations were involved in international development and humanitarian work.
Nobelium’s behavior over the last few months is typical of modern malware threats, which undergo rapid evolution as cybercriminals strive to find more effective avenues of attack and to evade signature-based detection. Even just in the May 25 campaign, several variants of the phishing message were seen.
Between this attack and the one on SolarWinds, it’s now clear that Nobelium’s playbook is to infiltrate major technology providers and infect their customers, taking advantage of users’ established trust in these companies.
While cybercriminals are always tinkering on new threats behind the scenes, this escalation is a notable development. From December’s SolarWinds attacks to the DarkSide strike against Colonial Pipeline earlier this month, we’ve seen several recent high-profile examples of malicious activity against U.S. agencies and infrastructure. An increase in the sophistication of social engineering techniques is ongoing as well.
As dangerous cyberthreats continue to evolve with lightning speed, it’s more important than ever to ensure that you have complete cyber protection for all critical data and systems. Acronis Cyber Protect features a threat-agnostic behavioral detection engine that identifies and blocks the suspicious processes that malware relies on — as well as URL filtering capabilities that prevent access to malicious websites used in phishing campaigns. The Acronis Cyber Protection Operation Centers will keep tracking Nobelium's actions alongside other global threats.