We would like to share with you the plans and procedures we've put in place in response to the cyber attack campaign operated by threat actor group, NOBELIUM.
The Situation
Microsoft Threat Intelligence Center (MSTIC) has uncovered an evolving and sophisticated wide-scale malicious email campaign operated by NOBELIUM, the group behind last year's SolarWinds supply chain attack. It was observed that the campaign operated since January 2021 with the group evolving its attack tactics in delivering the malicious package.
Like most phishing tactics, the attackers attempt to lure users into opening the e-mail, followed by either opening a malicious file or clicking a malicious link. An example of this nature included e-mails purportedly originating from the USAID government agency with a lure referencing foreign threats to the 2020 US Federal Elections. It contained a malicious link that would result in a redirection request to download an ISO file on to the victims system. The ISO file contained both decoy and malicious files. If an unsuspecting victim opened the malicious files, the malware infection would begin, providing persistent remote access to the attackers.
Interestingly, the phishing message and delivery method were not the only evolving factors in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served.
The History
NOBELIUM, a group connected to Russia, has historically targeted government and non-government organisations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. In this case, Microsoft reported at least a quarter of targets work with international development, humanitarian, and human rights work. The phishing attack has so far targeted some 3,000 accounts at more than 150 organisations across multiple industries based in the United States and Europe. The victims span 24 countries, though most attacks were aimed at the US.
The following industries have been observed being targeted thus far:
Microsoft further noted that this campaign differs significantly from NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents.
Ensign Posture & Monitoring
Ensign has stepped up monitoring operations for our clients for both cloud and on-premise infrastructure. Our Managed Detection and Response platform and our proprietary machine learning analytics can detect and block malicious artifacts. Coupled with network layer defence, our protection controls prevent applications or users from accessing malicious sites. We have performed rounds of checks to verify security configurations and patches are up-to-date.
Our Recommendations
If you require further cybersecurity advice or services, please contact us at marketing@ensigninfosecurity.com.
References:
https://beta.darkreading.com/attacks-breaches/solarwinds-attackers-impersonate-usaid-in-advanced-email-campaign
https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/