SolarWinds Russian Nobelium Hackers Strike Again, Compromise Constant Contact Reports Microsoft
The threat actors behind the SolarWinds attacks late last year have come back online and are targeting international development, humanitarian, and human rights organizations, according to new data from Microsoft. The Russian-based hacking group, called Nobelium, managed to compromise an email marketing account for USAID and has distributed phishing emails with attached malware to the targeted companies.
Yesterday, Microsoft reports that Nobelium started its attacks this week by breaching USAID's "Constant Contact" account, which is simply an email marketing account. Using this account, the threat actors were "able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone." This malware could allow the hackers to steal data, infect other computers on the network, and more. However, Microsoft reported in a separate blog post that Nobelium had been phishing since early in January this year.
Thankfully, all this malicious activity was blocked for Microsoft customers running Windows Defender. However, this is not something to rest on, as three major things make this attack notable, as Microsoft explains. First and foremost, this attack unveils Nobelium's standard playbook of "gain[ing] access to trusted technology providers and infect their customers." This technique can have expansive ramifications, including increasing collateral damage in espionage while also undermining "trust in the technology ecosystem."
Furthermore, Nobelium has been targeting organizations that affect "issues of concern to the country from which they are operating." In this case, Nodeblium's targeting of human rights and humanitarian organizations shows a political motive to accomplish objectives. Also, these types of nation-state cyberattacks are not slowing in the slightest. There has been a massive uptick in threats, and yet rules for security in cyberspace are minimal and need to be expanded upon.
As always, Microsoft will continue to track Nobelium, and USAID has likely started an investigation to figure out how the initial breach happened. Hopefully, this attack and the recent Colonial Pipeline attack will spur better legislation and rules for cybersecurity. However, this is not the end of cyberattacks such as this, so stay tuned to HotHardware for updates.