The threat actor behind last year’s major SolarWinds hack has led a new targeted campaign spanning nearly 3,000 emails.
Nobelium has this time gone after more than 150 organisations, encompassing government agencies, think tanks, consultants and non-governmental organisations. Although the United States received the largest share of attacks, targeted victims span at least 24 countries, according to Microsoft.
“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft.
The hacking group, known in the security industry as APT29, Cozy Bear, The Dukes and Nobelium, has been tied to the Russian Foreign Intelligence Service (SVR) by the US and UK governments. It has a long history of targeting governmental or government-tied organisations, sometimes using zero-day exploits to gain initial access.
According to Burt, hackers accessed the Constant Contact account of USAID, the service used for email marketing. From there, Nobelium distributed phishing emails that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone.
“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Burt said.
According to Microsoft, “many” of the attacks were blocked by Windows Defender, but Burt called the attacks notable for three reasons.
“First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Burt wrote. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.
“Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organisations.”
The third reason, Burt said, is the continued acceleration of nation-state cyber attacks. “We need clear rules governing nation-state conduct in cyber space and clear expectations of the consequences for violation of those rules,” he added.
Improving payload delivery and target selection over time
In January, after the SolarWinds compromise was discovered and organisations were advised how to detect and protect themselves against Nobelium’s backdoors, the group shifted its approach to email-based attacks.
According to Microsoft, these started slow and used features of Google's Firebase platform mobile and web app development to host a malicious ISO disc image and then craft emails that would track information about the computers of users who clicked on the URLs.
In a follow-up iteration, the group switched to using an HTML attachment instead of a URL that, when opened, would write the ISO file to disk and encouraged users to open it. ISO files are mounted as external drives in Windows file manager and their contents can be accessed.
In this case, the rogue ISO contained a shortcut file (LNK) that, if opened, would load a malicious DLL that was actually a customised version of the Cobalt Strike Beacon implant. Cobalt Strike is a penetration testing framework that has been adopted by hackers as well as red teams and the beacon is the payload or backdoor dropped on compromised systems.
The custom Cobalt Strike Beacon used by Nobelium has been dubbed NativeZone by Microsoft. The ISO also contains a decoy document that is opened at the same time so the user doesn't become suspicious.
The group's email campaigns continued throughout February, March and April in a targeted manner and with various modifications to the payload delivery and reconnaissance techniques. Instead of using Firebase to collect information about targeted systems, the group moved to a different service and embedded the functionality directly in the HTML email attachment.
In another wave it added a first-stage implant written in .NET dubbed BoomBox that used Dropbox to host information collected about the victim's system or to download additional files.
On May 15, the group launched its largest email campaign, targeting 3,000 individual accounts by crafting emails to appear as originating from USAID and using election fraud documents as bait. The emails were sent through Constant Contact, a legitimate email marketing service, after the hackers gained access to USAID's account on the platform.
The rogue emails have the legitimate Constant Contact headers and sending addresses and contain a link pointing to the Constant Contact infrastructure. From there the user is redirected to a server and domain controlled by Nobelium that serves the ISO to the user. Like in previous campaigns the ISO contains a LNK file, a decoy PDF document and the custom Cobalt Strike beacon.
"Microsoft security researchers assess that Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope," Microsoft said in an analysis of the attack. "It is anticipated that additional activity may be carried out by the group using an evolving set of tactics."
The company has released indicators of compromise for the campaigns as well as a set of recommendations for users using Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Office or its online products.
These include turning on cloud-delivered protection, running EDR in block mode, enabling network protection, using two-factor authentication for email accounts and other services that support it, using device discovery and enabling an attack surface reduction rule that prevents Office applications from creating child processes.
Attack exploits third-party services
What makes this latest Nobelium email campaign stand out is that it was launched from a compromised legitimate account on a third-party service. Similar to the SolarWinds supply chain attack, this abuses an existing trust relationship between victims and an organisation.
Business email compromise (BEC) attacks where hackers trick employees to make bogus payments by impersonating company executives also use hacked email accounts sometimes. This is also not the first time Nobelium has abused online services or targeted IT companies to use them as launchpads for its attacks. The group also puts a lot of time and effort in reconnaissance and collecting information about victims.
Additional background reporting by Lucian Constantin (CSO)