Microsoft has disclosed that the SolarWinds hackers or SolarWinds supply chain attack-fame threat actors are back in action. This time, they are targeting government agencies, consultants, think tanks, and non-governmental organizations across 24 countries.
Microsoft’s findings were corroborated by cybersecurity firm Volexity. Research reveals that this time, SolarWinds attackers have singled out NGOs, research institutions, government and international agencies in the US and Europe.
Over 150 Organizations Targeted So Far
According to Microsoft’s Corporate VP for Customer Security and Trust, Tom Burt, the latest wave of attacks has affected 150 different organizations and targeted approx. 3,000 email accounts.
“At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work,” Burt wrote in a blog post.
Russian Threat Actor Suspected to be Involved
Microsoft claims that a Russian threat actor tracked as different identities, including Nobelium, APT29. UNC2452, Dark Halo, SolarStorm, and StellarParticle might be responsible for the intrusion. The attacker is said to be linked with Russian Intelligence Services.
“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” added Burt.
How does it work?
The recent wave of attacks started in January 2021 and reached its peak on May 25. The attack starts as a phishing campaign and exploits a mass-mailing service known as Constant Contact. To hide the malicious activity, they masqueraded it as USAID. The malicious phishing email is distributed to a wide variety of industry verticals and organizations.
The harmless-looking emails contain a link, which, when clicked, immediately delivers a malicious optical disc image file titled ICA-declass.iso and injects a custom Cobalt Strike Beacon implant called NativeZone via Documents.dll.
It is equipped with persistent access maintenance, data exfiltration capabilities and can also install additional malware. There’s another variant of the attack in which Nobelium experimented with target machine profiling initiated after the email recipient clicks on the link.
If the targeted system is iOS-based, the victim will be redirected to a new remote server from where an exploit will be dispatched for the zero-day CVE-2021-1879, which Apple has already addressed on March 26.