A Russian-based group’s cyberattack in late May on a range governmental agencies, think thanks, non-governmental agencies (NGOs) and the like around the world highlight the growing threat from software supply chain campaigns like the high-profile SolarWinds hack that was perpetrated by the same cybercriminals last year.
Cybersecurity experts at both Microsoft and SecureWorks said that the hacker group – called Nobelium by Microsoft but which also is known as APT29 – accessed the Constant Contact email marketing account used by the U.S. Agency for International Development (USAID) to launch phishing campaigns against a broad array of targets.
Microsoft officials said the attack targeted 3,000 email accounts at 150 organizations. Most of those organizations were in the United States, but there were others in about two dozen other countries that are involved in such work as international development, humanitarian issues and human rights, according to the software giant.
“From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Tom Burt, corporate vice president of customer security and trust at Microsoft, wrote in a blog post late last week. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
SecureWorks Sees Similar Threats
SecureWorks security experts said the targets they saw were similar, though the governmental and NGOs as well as intergovernmental organizations (IGOs) were based in the United States, Ukraine and the European Union and worked in such areas as anti-corruption activism and conflict mediation in Ukraine and disinformation awareness in the EU.
Specific targets included the U.S. Atlantic Council, the Organization for Security and Co-operation in Europe, the Ukrainian Anti-Corruption Action Center, the EU DisinfoLab and the Irish government’s Department of Foreign Affairs.
One target received an alert from a phishing email sent from USAID’s account that included the words “USAID Special Alert: Donald Trump has published new documents on election fraud” followed by a “view documents” button that probably contains the malicious URL customized to the target, SecureWorks officials wrote in a blog post.
Both Microsoft and SecureWorks said the campaign was ongoing as of late May. Today the U.S. Justice Department seized two domains used in the attacks, but warned there could still be others.
Supply Chain Still a Threat Vector
The combination of the SolarWinds breach and now that of USAID makes clear that supply chain attacks are key to Nobelium’s overall cyberespionage efforts, Microsoft’s Burt wrote. The goal is to exploit trusted technology partners –SolarWinds, by leveraging software updates; USAID, through the email marketing service – to gain access to large numbers of victim organizations and steal data. It also damages the trust companies put into their third-party partners.
“This style of attack proves especially lucrative to attackers for several reasons; a breach on one vendor creates a ripple effect which can have a much higher impact on all organizations downstream,” officials with 1st Global Cyber Security Observatory – which offers a platform for sharing cybersecurity information and innovation – wrote in a report listing the top cybersecurity threats for 2021.
One of those threats is third-party attacks, where numbers are expected to increase as more companies rely on third-party services and technology as their IT environments become more distributed and they lack in-house resources. In addition, the COVID-19 pandemic drove a rapid shift to remote work, which fueled the demand for more outside help and cloud services.
In April, the Identity Theft Resource Center – a nonprofit organization that supports victims of identity crimes – said there was a 42 percent quarter-over-quarter increase in the number of supply chain attacks, with 137 organizations reporting that they were the victims of such campaigns.
SolarWinds Shows Dangers of Third-Party Compromises
The SolarWinds attack was the largest recent example of such an attack. More than 18,000 SolarWinds customers were left vulnerable after Russian hackers were able to push malicious code into an update package of the company’s Orion remote monitoring and management software. Among the victims were nine U.S. government agencies and more than 100 private companies, including Cisco, Intel and Microsoft.
Security experts had suspected a nation-state sponsored cybercriminal organization was behind the attack and eventually pointed the finger at ATP29, though the Russian government continues to deny any involvement in the SolarWinds hack.
Now the group is back with the USAID phishing campaign.
“Using legitimate infrastructure is typically the ultimate goal for any attacker, so this was a bonus for Nobelium,” Sean Nikkel, senior cyber threat intel analyst at cybersecurity vendor Digital Shadows, told eSecurity Planet. “Emails from a known provider, such as Constant Contact, help lend legitimacy to any messages, not to mention a higher likelihood that emails would pass domain checks for most security tools out there.”
In the latest case, the emails were sent from a legitimate USAID account that likely had access to already-vetted business contacts “who would also probably expect to get emails from this user or domain. It’s a perfect attacker scenario and – outside of the attachments raising a red flag – would’ve probably fooled even the most cynical of security experts at first glance,” Nikkel said.
Changing Business World Makes Situation Difficult
The highly distributed modern workforce and the growing reliance on mobile technology only exacerbates an already difficult problem, according to Hank Schless, senior manager of security solutions at security vendor Lookout.
“People access their work email on a smartphone or tablet just as much as they do on a computer,’ Schless told eSecurity Planet. “Attackers know this and are creating phishing campaigns to take advantage of the mobile interface that makes it hard to spot a malicious message. … Attacks are more difficult to spot on mobile. They’re also easier to deliver, as there are countless ways to send messages on a mobile device.”
Lookout data indicates that about 15 percent of financial services employees encountered a mobile phishing attempt each quarter in 2020.
Awareness, Training are Key
Organizations with a mission that would make them a likely target of Nobelium’s latest campaign should be on the lookout for USAID-themed phishing emails and monitor their networks for activity attributed to the malware and infrastructure related to the attack, according to SecureWorks officials.
More generally, SecureWorks said employees should be trained how to recognize phishing attempts, and Microsoft’s Burt said other practices of good cybersecurity hygiene – such as using multi-factor authentication and antivirus and antimalware software – should also be common.
Further reading: Latest MITRE EDR Evaluations Contain Some Surprises
Joseph Carson, chief security scientist and advisory CISO at Thycotic Centrify, told eSecurity Planet that most breaches over the past few years come down to human behavior, identities and credentials, and vulnerabilities, and that mobile, email and social media will continue to be bad actors’ weapons of choice.
A problem is that “most organizations who become victims of email compromise are not resourced internally to deal with incident response or digital forensics, so they typically require external support,” Carson said. “Victims sometimes prefer not to report incidents if the amount is quite small but those who fall for larger financial fraud BEC [business email compromise] that amounts to thousands or even sometimes millions of U.S. dollars must report the incident in the hope that they could recoup some of the losses.”
Further reading: Cyber Insurers Pull Back Amid Increase in Cyber Attacks, Costs
Organizations should seek expertise in the private sector for incident response and digital forensics, Carson said.
Burt noted that attacks like those of Nobelium and similar groups often are in line with concerns of the country they’re targeting. For example, as the pandemic raged around the world, the Russian-based group Strontium targeted healthcare organizations that were involved in the development and distribution of vaccines. Other issues can include large sporting events like the Olympics and political events like elections.
“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations,” he wrote.
In addition, the threat from nation-states isn’t going to slow down, which means there need to be “clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules,” Burt wrote, citing the work of the Paris Call for Trust and Security in Cyberspace and recommendations put forth by the Cybersecurity Tech Accord and CyberPeace Institute.
JBS Latest Cyber Attack Victim
The pace of high-profile cyber attacks continues unabated. No sooner did the Colonial Pipeline attack fade from the headlines than another SolarWinds-related attack appeared. And in the last day, reports have emerged that 20% of the U.S. meat industry was shut down in an apparent Russia-connected ransomware attack on JBS, maker of the Swift brand.
Ahead of a U.S.-Russian summit, the attacks are likely to increase tensions between the two countries — and add to a growing number of aggressive government initiatives in cybersecurity.