New Email Campaign From ‘NOBELIUM’ Indicates the Actor’s Development

  • ‘NOBELIUM’ is delivering malicious emails to American companies en masse, pretending to be from USAID.
  • Most of these are being blocked and marked as spam, but some find their way in corporate networks.
  • This is another indication that state-supported actors aren’t willing to pause their espionage operations.

Microsoft has managed to uncover a wide-scale email campaign launched and operated by ‘NOBELIUM,’ the same group of actors who are considered responsible for the supply-chain attacks against users of the SolarWinds Orion. According to Microsoft’s threat intelligence team, the particular email campaign appears to have started in January 2021 and has signs of rampant experimentation that lasted until May 25, 2021. At that date, NOBELIUM leveraged the mass-mailing service ‘Constant Contact’ to scale up the operation and send out large numbers of emails masquerading as a U.S.-based development organization.

The targeting scope of the attack includes approximately 3,000 accounts across 150 companies and organizations operating in a variety of sectors. The emails carry an HTML file as an attachment, and if the recipient opens that, a JavaScript snippet runs to mount an ISO file as an external or network drive on the machine. In there, an LNK file executes a DLL which launches the Cobalt Strike beacon on the compromised computer.

Source: Microsoft

The mass-scale distribution achieved through ‘Constant Contact’ caused some trouble to NOBELIUM, as the high volumes of incoming mail triggered automated systems that blocked the messages and marked them as spam. However, as Microsoft warns, this doesn’t mean everything was prevented from being delivered.

Source: Microsoft

The latest organization mimicked by the actors is USAID (U.S. Agency for International Development). The messages are presented as alerts about former U.S. President Donald Trump publishing new documents that prove the election fraud claims that shook the country at the start of the year. Of course, the actors could change their spear-phishing theme any time, especially now that this particular one has been unmasked.

For Microsoft, there are three reasons why this campaign is notable:

  1. NOBELIUM continues to seek a way in important organizations that would open the door to massive espionage operations, exactly like they did with SolarWinds.
  2. This time, the actors appear to be targeting many humanitarian and human rights organizations too, which were previously excluded or ignored.
  3. Nation-state attacks aren’t showing any signs of slowing no matter the skirmishes between country leaders and the imposition of sanctions for this exact reason.

It is important to note that this campaign is still pretty much active, so checking the indicators of compromise given at the bottom of Microsoft’s analysis could help save you from great troubles. As always, you are advised to enable MFA on all accounts, turn on cloud-delivered protection, and run EDR in block mode.

How to Watch America’s Funniest Home Videos Season 34 Online from Anywhere
What could be the best way to make money, spread laughter, and have a blast simultaneously? The answer: America's Funniest Home Videos....
How to Watch Family Guy Season 22 Online Free from Anywhere
Family Guy Season 22 continues to follow the funny day-to-day activities of the Griffins, particularly Peter’s. The new season is set to...
How to Watch Bob’s Burgers Season 14 Online from Anywhere
Bob's Burgers has been entertaining us with its unique charm and warmth for over 10 years. The Belcher family—Bob, Linda, and their...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari