Microsoft has warned that Nobelium is currently conducting a phishing campaign after the Russian-backed group managed to take control of the account used by USAID on the email marketing platform Constant Contact. The phishing campaign has targeted around 3,000 accounts linked to government agencies, think tanks, consultants, and non-governmental organizations.

According to Microsoft, while organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Operating from Russia, Nobelium has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time. The attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.  

This new wide-scale email campaign leverages the legitimate service Constant Contact account of USAID - a service used for email marketing - to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked). Due to the high volume of emails distributed in this campaign, automated email threat detection systems blocked most of the malicious emails and marked them as spam. However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place.

The phishing email, and link, when clicked, inserted a malicious file used to distribute a backdoor Microsoft calls NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network. 

Stefano De Blasi, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, notes, "The campaign highlighted by Microsoft is another example of how targeted phishing campaigns still constitute a serious threat against institutions of any kind. Their ability to elicit strong emotional responses from the email recipients is a crucial factor accounting for their success and, simultaneously, makes them very hard to defend against."

Tom Burt, Corporate Vice President, Customer Security & Trust for Microsoft, notes these attacks are notable for three reasons. "First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers. By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem," says Burt. 

"Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines. In 2019, Strontium targeted sporting and anti-doping organizations. And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere. This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives, with the focus of these attacks by Nobelium on human rights and humanitarian organizations," Burt says. "Third, nation-state cyberattacks aren’t slowing."

The NOBELIUM campaign observed by Microsoft Threat Intelligence Center (MSTIC)  and detailed in the blog differs significantly from the NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents, says MSTIC. Microsoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.


According to Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Fla.-based provider of cybersecurity and compliance software, the attack pattern shown by Nobelium and others will make employee awareness training even more difficult than it already is by using credible sources. Schrader says, "Employee will have more difficulties with the distinction of good and bad, of trusted and untrusted, which increases the importance of having an onion layer approach to security controls, overlapping each other as a backup. Prevention is rather difficult when a company is at the receiving end of such malicious campaign using trusted but compromised accounts. The detection capabilities do gain importance, and along the cyber kill chain, it will be about detecting malicious changes as early as possible as they account for 85% of all incidents, according to Gartner."

De Blasi adds, "Protecting against phishing campaigns requires a two-fold approach. From a human perspective, it is fundamental that institutions maintain cyclical awareness training with their employees to ensure that some best practices are enforced across the organization. On top of this, it's essential to keep endpoint protection adequately updated to have an additional defensive layer that catches the occasional miss by security tools at the network or email layers."

If we look at why many of the breaches over the past few years have occurred, it comes down to three key factors: human factors, identities and credentials, and vulnerabilities, says Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, a Washington D.C.-based provider of cloud identity security solutions. "The ultimate goal is to compromise systems to commit financial fraud, or to steal identities in order to access the company that the target was entrusted to protect. When identities are stolen, it provides the attacker with the means to bypass the traditional security perimeter undetected, and if that identity has access to privileged accounts, they can easily carry out insider trading."

For cybercriminals, mobile, email and social media continue to be the weapons of choice, Carson notes. "The target is the secondary victim—the unsuspecting employee who receives an authentic looking email from a 3rd party supplier that only requires the them to click once on a hyperlink, and it is game over for that endpoint.  The employee has handed over their secret password and digital identity for the cyber-criminal to use, bypass security controls, and pose as a trusted employee."

You can read more about the technical aspects of these attacks in this blog post from the Microsoft Threat Intelligence Center (MSTIC).