News

Microsoft Describes Nobelium Attacks Targeting USAID

• By Kurt Mackie
• 05/28/2021

The Nobelium espionage group targeted about 3,000 e-mail accounts, commencing May 25, a Thursday Microsoft announcement indicated.

The attacks, which leverage e-mails looking like they come from the U.S. Agency for International Development (USAID), are mostly happening in the United States. They've affected "more than 150 different organizations" across 24 countries, according to Tom Burt, Microsoft's corporate vice president for customer security and trust.

This spearphishing campaign is perhaps more effective because the attackers first gained access to a Constant Contact e-mail service account that was used by USAID, according to another announcement by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender Threat Intelligence team:

On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.

The USAID's Constant Comment account was used to issue the fake USAID e-mails, which included "malicious" URL links.

These malicious URLs work in various ways to install an ISO that sets up a Cobalt Strike command and control center for the attackers. Sometimes the Google Firebase platform is used to stage these ISO files, and sometimes they are encoded within an HTML document.

The use of ISO files can slip by antivirus software because it avoids the "Mark of the Web" security approach that Microsoft implemented way back with Windows XP, noted Will Dormann, a vulnerability analyst with the U.S. Cybersecurity and Infrastructure Security Agency (CERT). He explained the concept in this 2019 CERT post. CERT, which advises U.S. government agencies, recommended applying Microsoft mitigations in a Thursday announcement.

The attacks are ongoing, and while they currently can get blocked by cloud-based security solutions, there may have been an initial period where they went undetected, according to MSTIC and the Microsoft 365 Defender Threat Intelligence team. The announcement included a list of indicators of compromise to check, as well as "mitigation" steps, although those steps appear to be specific to Microsoft security products.

Constant Comment acknowledged the compromise via a Twitter post, and indicated that it had disabled an affected account:

We are aware that a bad actor accessed one of our customer's account credentials to send malicious emails. This appears to be an isolated incident. We have temporarily disable the impacted accounts, and are collaborating with the customer as they work with law enforcement.

Nobelium (formerly called "Solorigate" by Microsoft) is an advanced persistent threat group that's infamous for having injected malware into SolarWinds' Orion management software product to conduct widespread espionage. Both Microsoft and the Biden administration have identified Nobelium as an attack group associated with Russia.