SolarWinds Attacker Novellium Attacks Over 150 Companies with Latest Mass Email Campaign

Russian hacking group Nobelium has launched an email-based attack over the past few months that installs backdoors within institutions and businesses behind a supply chain attack that compromised software updates on the SolarWinds Orion platform.
ⓒ Getty Images Bank

The attack was reinforced by the recent hijacking of email marketing accounts from the United States Agency for International Development (USAID), targeting more than 150 companies and approximately 3,000 people in 24 countries.

The attack group was known in the security industry as APT29, Cozy Bear, The Dukes, and Nobelium, which the US and UK governments have linked to the Russian Foreign Intelligence Service (SVR).

Novellium has a long history of attacking governments or government-related entities, and sometimes uses zero-day exploits for initial access. About a quarter of Novellium’s targets in recent email attacks Microsoft uncovered were organizations involved in international development, humanitarian and human rights affairs.

“The activities of Novelium and similar organizations tend to be related to issues of concern to the countries in which they operate,” said Tom Burt, Microsoft’s vice president of customer security and trust. It was aimed at humanitarian and human rights groups.”

At the peak of the Corona 19 pandemic, Russia’s Strontium attacked a vaccine-related medical group. In 2019, Strontium attacked sports and anti-doping groups, and Microsoft said in the past that attackers such as Strontium have targeted major elections in the United States and elsewhere. “This is just another example of the growing number of countries opting for cyberattacks to achieve various political purposes,” Burt explained.

Payload delivery and target selection evolving over time

After the SolarWinds hack was discovered in January and companies were advised on how to detect Novelium’s backdoor and protect itself, Novellium switched to an email-based attack.

According to Microsoft, the attack began slowly and hosted malicious ISO disk images using features of Google’s mobile and web app development platform, Firebase. The elaborately crafted email then tracks information about the computer of the user who clicked the URL.

In later versions, Novellium switched to using HTML attachments instead of URLs, so when users open them, ISO files are written to disk. Thus, Novellium lures users to open it. The ISO file is loaded as an external driver in Windows File Manager, and an attacker can access the content.

In this case, the fake ISO file contains a shortcut file (LNK), and when opened it loads a malicious DLL, a custom version of the Cobalt Strike Beacon implant. Cobalt Strike is a penetration testing platform used by hackers and the RED team, and beacons are payloads or backdoors that are dropped onto compromised systems. The custom cobalt strike beacon used by Novellium is what Microsoft calls NativeZone. The ISO also includes a bait document that opens at the same time, making the user unsuspecting.

Novellium’s email attacks continued as targeted attacks throughout February, March, and April, and payload delivery and reconnaissance techniques changed frequently. Instead of using Firebase to collect information about the target system, Novellium instead moved to another service and embedded the functionality directly within the HTML email attachment. Another attack added a primary implant written in .NET called BoomBox, which used Dropbox to host information collected about victim systems or download additional files.

On May 15th, Novellium launched his biggest e-mail campaign. E-mails were manipulated to look as if they were from USAID, and they used election fraud documents as bait to attack 3,000 personal accounts. Emails were sent through a legitimate email marketing service, Constant Contact. This was possible because hackers gained access to USAID accounts on the platform.

This spoofed email has a valid constant contact header and sending address, and contains a link pointing to the constant contact infrastructure. From here, users are redirected to servers and domains controlled by Novelium that deliver ISOs to users. Like previous campaigns, ISO includes LNK files, bait PDF documents, and custom cobalt strike beacons.

While analyzing the attack, Microsoft said, “The Microsoft security researchers believe that Novellium’s spear phishing attacks are occurring repeatedly, and evaluates that the frequency and range have increased.” We are expected to take action,” he said.

Microsoft has announced Indicators of Compromise (IOCs) for this campaign, as well as users of Microsoft Defender Antivirus, Microsoft Defender for Endpoint, Microsoft Office or online products. Presented a series of recommendations.

For example, turn on cloud-based protection, run EDR in block mode, enable network protection, use two-factor authentication for email accounts and other services, use device discovery, and enable office applications. Something like activating rules that reduce the attack surface, such as preventing child processes from spawning.

Attacks exploit third-party services
Notable in this latest Novelium email attack is that the attack originated from a compromised legitimate account on a third-party service. Similar to the SolarWinds supply chain attack, this attack exploits the existing trust relationship between the victim and the organization.

Business Email Compromise (BEC) attacks pretend to be company executives and trick employees into making false payments. It also uses a hacked email account from time to time. It is not the first time that Novellium has targeted IT companies to abuse online services or use them as a starting point for attacks. In addition, Novellium devotes a lot of time and effort to reconnaissance and information gathering on victims.

“As seen in the Solarwinds attack, Novellium exhibits a typical behavior of infecting their customers by gaining access to trusted technology providers,” said Burt of Microsoft. “Nobelium increases the likelihood of secondary damage and undermines trust in the IT ecosystem.” [email protected]

Source: ITWorld Korea by

*The article has been translated based on the content of ITWorld Korea by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!