Microsoft has actively been tracking a surge in spear phishing activity conducted by ‘Nobelium,’ the group behind the SUNBURST backdoor, TEARDROP and GoldMax malware.
Technical Detail & Additional Information
WHAT IS THE THREAT?
The threat group ‘Nobelium’ has historically targeted government organizations, think tanks, the military, IT service providers, telecom providers, and health and tech research companies. However, Microsoft’s Threat Intelligence Center (MSTIC) has tracked significant phishing activity targeting more than 3,000 individual email addresses. The phishing campaign is still ongoing and utilizing the email service Constant Contact to distribute malicious emails to the masses while attempting to remain undetected. Nobelium uses the Constant Contact service to attempt to hide their malicious links behind the mailing service’s URL. MSTIC has also stated that the campaign seemed to evolve as the campaign progressed.
The latest iteration of the campaign spoofed the USAID domain (firstname.lastname@example.org), has an authentic sender address following the standard Constant Contact addressing scheme with the domain ending in ‘@in.constantcontact.com’, and specifies ‘email@example.com’ as the reply-to address.
WHY IS IT NOTEWORTHY?
Nobelium is a top tier threat actor who previously exploited the SolarWinds Orion platform to compromise over 18,000 organizations across the globe and have proven that they are a very sophisticated and capable hacking group. Microsoft’s cited examples detailing evidence of evolution and experimentation is cause for concern as the threat actor is actively attempting to remain undetected and implement more sophisticated means of compromising targeted systems.
WHAT IS THE EXPOSURE OR RISK?
The campaign targeted 150 organizations and roughly 3,000 user accounts. Most of the emails were blocked by automated systems due to the high volume of outbound emails, however, some emails may have been delivered successfully to the recipients.
WHAT ARE THE RECOMMENDATIONS?
Organizations should ensure they utilize strong spam filtering and email protection as well as continuously conduct training exercises to educate employees on how to spot, report, and act against phishing emails. Additionally, implementing alarms for and blocking any of the IOCs provided by Microsoft at the first reference link below will indicate any traffic to the Cobalt Strike C2 servers or domains hosting the malware.
- Implement email protection.
- Continuously educate employees on phishing attacks.
- Ensure endpoint protection is up to date with the latest signatures.
- Block IOCs provided by Microsoft.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.