Microsoft has warned that the Russian-backed hacking group called Nobelium is currently conducting a phishing campaign and managed to compromise the account used by the United States Agency for International Development (USAID).
The phishing campaign has targeted around 3,000 accounts at more than 150 different organizations linked to government agencies, consultants, and non-governmental organisations.
The campaign has targeted government agencies around 24 countries but the US had received most of the malicious email.
According to Microsoft corporate vice president of customer security and trust Tom Burt, Nobelium launched the attacks by gaining access to the Constant Contact account of USAID.
The threat actors then distributed phishing emails that contained a link which when clicked, inserted a malicious file used to distribute a backdoor called NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.
Many of the emails were blocked, and he believes that the attacks do not involve any vulnerability in Microsoft products.
The campaign was discovered in February, and Nobelium was changing its approach to getting its malicious code onto victim computers.
In one instance, if a Nobelium-controlled server detected an Apple iOS device, it served up a WebKit universal cross site scripting vulnerability.
In the latest campaign, there were several iterations. In one example the emails appear to originate from USAID, while having an authentic sender email address that matches the standard Constant Contact service.
This address (which varies for each recipient) ends in @in.constantcontact.com … and a Reply-To address of was observed.
Burt added that Microsoft will continue to work with willing governments and the private sector to advance the cause of digital peace.
Nobelium has been best known for the SolarWinds supply chain hack that saw a backdoor planted in thousands of organisations before selecting nine US federal agencies and about 100 US companies to actually compromise and steal information from.
In a new blog post, Microsoft has provided details of four new malware families used by Nobelium in the attacks.
The four new families include an HTML attachment named ‘EnvyScout’, a downloader known as ‘BoomBox,’ a loader known as ‘NativeZone’, and a shellcode downloader and launcher named ‘VaporRage.’