Home News How SolarWinds Hackers ‘Nobelium’ Used Constant Contact in Mass Phishing Campaign

How SolarWinds Hackers ‘Nobelium’ Used Constant Contact in Mass Phishing Campaign

The latest cyberattack by the Russian state-sponsored group Nobelium, which was also behind the SolarWinds hack, used the Constant Contact email marketing service to send phishing emails with a malicious link to download.

SolarWinds Microsoft

Nation state-backed cyberattacks have become widespread more than ever.  They often leave a bad impression on the cybersecurity readiness of a nation. For instance, the infamous SolarWinds supply chain attacks targeted several U.S. government agencies and compromised the networks of nine government agencies and 100 private organizations globally. While investigations are still ongoing, Microsoft recently revealed that Nobelium, the Russian-based cybercriminal group behind the SolarWinds hacks, is now targeting government agencies, think tanks, consultants, and non-governmental organizations globally.

Nobelium targeted over 3,000 email accounts of more than 150 global organizations. Around 25% of the targeted organizations were involved in international development, humanitarian, and human rights work.

“Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack. We’re also in the process of notifying all of our customers who have been targeted. We detected this attack and identified victims through the ongoing work of the MSTIC team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services,” Microsoft said.

Sophisticated Email-based Attack

Microsoft stated that the Nobelium group launched its attack by illicitly gaining access to the Constant Contact account of USAID, a service used for email marketing. Using this, the attackers were able to send phishing emails with a malicious link that, when clicked, downloads a malicious file used to distribute a backdoor dubbed NativeZone. The backdoor allowed attackers to launch various cybercriminal activities from stealing data to infecting other computers on a network.

As per Microsoft, the attacks from the Nobelium group are notable for three reasons:

  1. When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers.
  2. Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating.
  3. Nation-state cyberattacks aren’t slowing. There is a dire need for clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.

“The Microsoft Threat Intelligence Center (MSTIC) observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” Microsoft added.