[ad_1]
The same group behind the SolarWinds cyberattack recently used the email-marketing account of a US aid agency to send thousands of phishing emails to more than 150 organizations.
As Microsoft’s Customer Security and Trust (CST) team outlined this week, a hacking group known as Nobelium gained access to the Constant Contact account of the US Agency for International Development (USAID). Constant Contact is an email marketing firm, so access to the USAID account allowed Nobelium to spam about 3,000 accounts with emails that looked like they were coming from USAID.
Instead, these emails “included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” says Tom Burt, corporate VP for Microsoft CST. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work, Burt says.
In a statement, a Constant Contact spokesperson said the company is “aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts. This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”
Pooja Jhunjhunwala, USAID acting spokesperson, says “the forensic investigation into this security incident is ongoing,” and the agency is currently working with “all appropriate federal authorities,” including Homeland Security and the US Cybersecurity and Infrastructure Security Agency (CISA).
CISA says it’s “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
Intelligence Gathering Efforts
According to Burt, Nobelium is based in Russia, and the group “is the same actor behind the attacks on SolarWinds customers in 2020. These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”
Microsoft says it automatically blocked “many of the attacks targeting our customers,” while “Windows Defender is blocking the malware involved in this attack.” It notes that there’s “no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.” (The SolarWinds attack allowed hackers to view Microsoft source code.)
This campaign dates back to January 2021, at which point Microsoft believes Nobelium was using Google Firebase to test the waters with potential victims and perhaps regroup after the SolarWinds scheme was exposed. It sent phishing emails that tracked who clicked links inside the messages but did not deliver any malware.
This “experimentation” continued for several months but “escalated significantly” on May 25. At that point, automated systems blocked most of the Nobelium emails and marked them as spam. “However, automated systems might have successfully delivered some of the earlier emails to recipients,” Microsoft says.
If a Nobelium email landed in your inbox and you clicked, the hackers would gain access to your network, allowing them to poke around, remove data, and deliver additional malware.
“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations,” Burt says.
Microsoft notes that “this is an active incident.” Burt says the attack shows that we “need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.”
[ad_2]
Source link
