Nobelium, the Russia-aligned gang identified as the perpetrators of the supply chain attack on SolarWinds' Orion software, has struck again, Microsoft vice president Tom Burt in a blog post on Thursday.
Burt's post says the attacks saw Nobelium gain access to accounts on the email marketing service "Constant Contact" operated by The United States Agency for International Development (USAID).
Using Constant Contact, Nobelium sent malware-infused phishing emails that installed a backdoor, called NativeZone, capable of data exfiltration and spreading the malware across victim networks.
The attack is global, although most victims were in the US. The attacks targeted around 3,000 email accounts and 150 different organization, at least a quarter of which were in international development, humanitarian, and the human rights sphere. Those targets were chosen for their potential to yield information on foreign policy.
Microsoft has detailed the attack in a separate post that explains its Threat Intelligence Center has observed the attack since January 2021 and spotted "significant experimentation" but little impact.
That changed on May 25th when Nobelium started using Constant Contact and unleashed "several iterations" of a phishing attack.
Those who clicked on a link were bounced through a legit Constant Contact link to infrastructure the gang controls and URL with the format
https://usaid.theyardservice[.]com/d/<target_email_address>. A malicious ISO then downloads and gives Nobelium persistent access to a compromised machine.
- Who gave dusty Soviet-era spacecraft that unwanted lick of paint? It was an idiot, with a spraycan, in Baikonur
- Us? Pwn SolarWinds? With our reputation? Russian spy chief makes laughable denial of supply chain attack
- Colonial Pipeline was looking to hire cybersecurity manager before ransomware attack shut down operations
- Here's what Russia's SVR spy agency does when it breaks into your network, says US CISA infosec agency
Microsoft says most of the phishing messages are being caught by automated filters, but those that make it through are dangerous. The firm has urged caution, blocking theyardservice.com and adopting multi-factor authentication for any compromised accounts.
News of the new Russian action comes in the week that US president Biden announced a planned mid-June meeting with Russian president Vladimir Putin.
In mid April, the US Department of the Treasury issued sanctions on Russian infosec companies and expelled diplomats from US embassies as a response to Russia’s cyber activities.
At the time, US treasury secretary Janet L. Yellen said:
The President signed this sweeping new authority to confront Russia’s continued and growing malign behavior.
Treasury is leveraging this new authority to impose costs on the Russian government for its unacceptable conduct, including by limiting Russia’s ability to finance its activities and by targeting Russia’s malicious and disruptive cyber capabilities.