The Russian hacking group behind the supply chain attack that poisoned software updates for the SolarWinds Orion platform has been perfecting its email-based attacks over the past few months to plant backdoors inside organizations. These efforts recently escalated with an attack launched from a hijacked email marketing account belonging to USAID and targeted around 3,000 people across over 150 organizations in 24 countries.
The hacking group, known in the security industry as APT29, Cozy Bear, The Dukes and Nobelium, has been tied to the Russian Foreign Intelligence Service (SVR) by the US and UK governments. It has a long history of targeting governmental or government-tied organizations, sometimes using zero-day exploits to gain initial access. In this latest email campaign observed by Microsoft, around a quarter of Nobelium’s targets were organizations involved in international development, humanitarian, and human rights work.
“Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating,” Tom Burt, corporate vice president for Customer Security & Trust at Microsoft, said in a blog post. “This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines. In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the US and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations.”
Improving payload delivery and target selection over time
In January, after the SolarWinds compromise was discovered and organizations were advised how to detect and protect themselves against Nobelium’s backdoors, the group shifted its approach to email-based attacks. According to Microsoft, these started slow and used features of Google’s Firebase platform mobile and web app development to host a malicious ISO disc image and then craft emails that would track information about the computers of users who clicked on the URLs.
In a follow-up iteration, the group switched to using an HTML attachment instead of a URL that, when opened, would write the ISO file to disk and encouraged users to open it. ISO files are mounted as external drives in Windows file manager and their contents can be accessed. In this case, the rogue ISO contained a shortcut file (LNK) that, if opened, would load a malicious DLL that was actually a customized version of the Cobalt Strike Beacon implant. Cobalt Strike is a penetration testing framework that has been adopted by hackers as well as red teams and the beacon is the payload or backdoor dropped on compromised systems. The custom Cobalt Strike Beacon used by Nobelium has been dubbed NativeZone by Microsoft. The ISO also contains a decoy document that is opened at the same time so the user doesn’t become suspicious.
The group’s email campaigns continued throughout February, March and April in a targeted manner and with various modifications to the payload delivery and reconnaissance techniques. Instead of using Firebase to collect information about targeted systems, the group moved to a different service and embedded the functionality directly in the HTML email attachment. In another wave it added a first-stage implant written in .NET dubbed BoomBox that used Dropbox to host information collected about the victim’s system or to download additional files.
On May 15, the group launched its largest email campaign, targeting 3,000 individual accounts by crafting emails to appear as originating from USAID and using election fraud documents as bait. The emails were sent through Constant Contact, a legitimate email marketing service, after the hackers gained access to USAID’s account on the platform.
The rogue emails have the legitimate Constant Contact headers and sending addresses and contain a link pointing to the Constant Contact infrastructure. From there the user is redirected to a server and domain controlled by Nobelium that serves the ISO to the user. Like in previous campaigns the ISO contains a LNK file, a decoy PDF document and the custom Cobalt Strike beacon.
“Microsoft security researchers assess that Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” Microsoft said in an analysis of the attack. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.”
The company has released indicators of compromise for the campaigns as well as a set of recommendations for users using Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Office or its online products. These include turning on cloud-delivered protection, running EDR in block mode, enabling network protection, using two-factor authentication for email accounts and other services that support it, using device discovery and enabling an attack surface reduction rule that prevents Office applications from creating child processes.
Attack exploits third-party services
What makes this latest Nobelium email campaign stand out is that it was launched from a compromised legitimate account on a third-party service. Similar to the SolarWinds supply chain attack, this abuses an existing trust relationship between victims and an organization. Business email compromise (BEC) attacks where hackers trick employees to make bogus payments by impersonating company executives also use hacked email accounts sometimes. This is also not the first time Nobelium has abused online services or targeted IT companies to use them as launchpads for its attacks. The group also puts a lot of time and effort in reconnaissance and collecting information about victims.
“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Microsoft’s Burt said. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”
Copyright © 2021 IDG Communications, Inc.
SolarWinds attacker Nobelium targets over 150 companies in new mass email campaign