The same group behind SolarWinds cyberattack An email marketing account from a US aid agency was recently used to send thousands of phishing emails to more than 1,150 organizations.
As Microsoft’s Customer Protection and Trust (CST) team Outline this week, A hacky group known as Nobellium gained access Frequent contact US Agency for International Development (USAID) account. Stable contact is one Email marketing The firm, then, access to USAID accounts allowed Nobleium to spam, spamming up to 1,000 accounts that appeared to be from USAID.
Instead, these emails “contain links that, when clicked, we insert the malicious file used to deliver the backdoor to the Netivozone call,” says Team Burt, corporate VP for Microsoft CST. “This backdoor can enable a wide range of activities to infect other computers on the network from data theft.”
At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work, Burt says.
A Constant Contact spokesperson said in a statement that the company was “aware that the account was used by a bad actor to gain access to customers’ content contact accounts. This is an isolated incident and we have temporarily disabled it while working with our customers working with law enforcement.” Affected accounts. “
USAID Acting Spokesperson Pooja Jhunjhunwala says, “Forensic investigation of this security incident is ongoing, and the agency is currently working with“ all appropriate federal authorities, including the Homeland Security and the US Cybersecurity and Infrastructure Security Agency (CISA) ”.
The CISA said it was “working with the FBI and USAID to better understand the extent of the agreement and to assist potential victims.”
Attempts to gather intelligence
According to Burt, Nobleium is based in Russia and the group is “the same actor behind the attacks on Solarwinds customers in 2020. These attacks appear to be a continuation of Novellium’s multi-pronged efforts to target government bodies involved in foreign policy.
Microsoft says it automatically “stopped many attacks targeting our customers, while”Windows Defender Stopping the malware involved in this attack. It noted that “these attacks have no reason to believe any exploitation or risk to Microsoft products or services.” (Solarwinds attack allowed hackers View Microsoft source code.)
The campaign dates back to January 2021, at which point Noblelium could test Google Firebase with a potential victim to test the water and reunite once the Solar Winds scheme is unveiled. It sent phishing emails that were tracked that clicked links within messages but did not deliver any malware.
This “experiment” continued for several months, but in May 2 “significantly increased”. At the time, automated systems blocked most Nobleliam emails and marked them as spam. “However, automated systems can successfully deliver some previous emails to recipients.” Microsoft says.
If Nobleium email lands in your inbox and you click, hackers can gain access to your network, allowing them to move around, remove data, and deliver extra. Malware.
“This is another example of how cyberattacks have become a tool of choice, focusing on this attack on human rights and humanitarian organizations to meet the diverse political objectives of growing nation-states,” says Burt. .
Microsoft noted that “this is an active phenomenon.” Burt says the attack requires us to “have clear rules for conducting nation-state conduct in cyberspace and to have clear expectations of the consequences for violating those rules.”