The Kremlin-backed hackers who targeted SolarWinds customers in a supply chain attack were caught running a malicious email campaign that provided malware links to 150 government agencies, research institutions and other organizations in the US and 23 others. countries, according to Microsoft.
The hackers, who belong to Russia’s foreign intelligence agency, first managed to compromise an account of USAID, a US government agency that manages civilian foreign and development aid. With control of the account of the agency for online marketing company Constant Contact, the hackers had the ability to send emails that appeared to use addresses known to be from the US agency.
Nobelium goes native
“From there, the actor was able to distribute phishing emails that looked authentic but contained a link that, when clicked, inserted a malicious file that was used to distribute a backdoor we call NativeZone,” Microsoft wrote. Vice President of Customer Security and Trust Tom Burt in a message published Thursday evening. “This backdoor could enable a wide variety of activities, from stealing data to infecting other computers on a network.”
The campaign was run by a group Microsoft calls Nobelium and also known as APT29, Cozy Bear, and the Dukes. Security firm Kaspersky has said the group’s malware dates back to 2008, while Symantec has said the hackers have targeted governments and diplomatic organizations since at least 2010. There’s more about the anomalous and old-fashioned coding features of this group here. Last December, Nobelium’s fame reached a new high with the discovery that the group was behind the devastating breach of SolarWinds, a manufacturer of network management tools based in Austin, Texas. After the hackers thoroughly compromised SolarWinds’ software development and distribution system, they distributed malicious updates to approximately 18,000 customers using the tool, called Orion. The hackers then used the updates to compromise nine federal agencies and about 100 private sector companies, White House officials said.
Security firm FireEye said the hacking group used a variety of other lures in addition to USAID content, including diplomatic notes and embassy invitations. It went on to say that targeting the campaign at governments, think tanks and related organizations has been a traditional focus for operations conducted by the Foreign Intelligence Service, known as the SVR.
“While SolarWinds’ activity was notable for its stealth and discipline, loud, broad spear phishing operations were once the calling card of SVR operators who often ran noisy phishing campaigns,” John Hultquist, Vice President of Analysis at Mandiant Threat Intelligence, owned from FireEye, said in an email. “Those operations were often effective, gaining access to major government agencies, among other things. And while the spear-phishing emails were quickly identified, we expect any action taken after these actors compromised would be highly skilled and unobtrusive.”
Blast from the past
On Tuesday, Nobelium distributed 3,000 different addresses containing emails that would issue a special warning from USAID about new documents that former President Trump had published about electoral fraud. One of the emails looked like this:
Microsoft
People who clicked on the link were first redirected to the legitimate Constant Contact service, but shortly after, they were redirected to a file hosted on Nobelium servers, Microsoft said. After targets were redirected, JavaScript caused visitor devices to automatically download a type of archive file known as an ISO image.
As the image below shows, the ISO image contained a PDF file, an LNK file called Reports, and a DLL file called Documents, which was hidden by default.
Microsoft
Microsoft
When a target clicked on the Reports file, it opened the PDF as a bait and ran the DLL in the background. The DLL in turn installed the NativeZone backdoor. A separate post published by the Microsoft Threat Intelligence Center, or MSTIC, said the backdoor enabled Nobelium to gain persistent access to compromised machines so that the group could “perform action targets such as lateral movement, data exfiltration and delivery of additional malware.” ”
Tuesday’s attack was just the latest wave of what MSTIC believes was a widespread malicious spam campaign that began in late January. Since then, the campaign has evolved in a series of iterations that have demonstrated “significant experimentation”.
When Microsoft first saw the campaign, it hosted the ISO on Firebase, Google’s cloud platform for mobile and web apps. During this early iteration, Microsoft said, the ISO image contained no malicious payload, leading company researchers to conclude that its purpose was to “capture attributes of those who accessed the URL.” At a later stage, the campaign sent emails containing an HTML file. When opened, JavaScript wrote an ISO image to the disk and encouraged the target to open it.
The course of this last attack phase looked like this:
Microsoft
iOS zero day
Nobelium continued to experiment with multiple variations. In one wave, no ISO load was delivered at all. Instead, a Nobelium-controlled web server profiled the target device. In the event that the target device was an iPhone or iPad, a server delivered what was then a zero-day exploit for CVE-2021-1879, an iOS vulnerability that allowed hackers to launch a universal cross-site scripting attack. . Apple patched the zero-day at the end of March.
Thursday night’s MSTIC post continued:
The experimentation continued through most of the campaign, but began to escalate in April 2021. During the waves in April, the actor stopped using Firebase and stopped tracking users with a special URL. Their techniques shifted to encode the ISO into the HTML document and have it responsible for storing target host data on a remote server through the use of the api.ipify.org service. The actor sometimes used checks for specific internal Active Directory domains that would terminate execution of the malicious process if it identified an unintended environment.
In May 2021, the actor changed techniques again by keeping the HTML and ISO combination, but dropped a custom .NET implant in the first stage, detected as TrojanDownloader:MSIL/BoomBox, which reported host-based crawl data to, and additional payloads downloaded. from, the Dropbox cloud storage platform.
On May 25, the NOBELIUM campaign escalated significantly. Using the legitimate mass mailing service Constant Contact, NOBELIUM attempted to target approximately 3,000 individual accounts at more than 150 organizations. Due to the massive campaign, automated systems blocked most emails and marked them as spam. However, it is possible that automated systems successfully delivered some of the previous emails to recipients.
Security firm Volexity, meanwhile, published its own message that provides even more details. Among them, the Documents.DLL file checked target machines for the presence of security sandboxes and virtual machines, as shown here:
Volexity
Both MSTC and Volexity provided multiple indicators of compromise that organizations can use to determine if they were the target of the campaign. MSTC further warned that this week’s escalation is unlikely to be the last we’ll see from Nobelium or the ongoing email campaign.
“Microsoft security researchers assess that Nobelium’s spear-phishing operations are returning and have increased in frequency and scope,” the MSTC post concluded. “The group is expected to be able to perform additional activities using an evolving array of tactics.”
Post updated at 8:51 AM California time to add details of FireEye.