Nation state-backed cyberattacks have become widespread more than ever. They often leave a bad impression on the cybersecurity readiness of a nation. For instance, the infamous SolarWinds supply chain attacks targeted several U.S. government agencies and compromised the networks of nine government agencies and 100 private organizations globally. While investigations are still ongoing, Microsoft recently revealed that Nobelium, the Russian-based cybercriminal group behind the SolarWinds hacks, is now targeting government agencies, think tanks, consultants, and non-governmental organizations globally.
Nobelium targeted over 3,000 email accounts of more than 150 global organizations. Around 25% of the targeted organizations were involved in international development, humanitarian, and human rights work.
“Many of the attacks targeting our customers were blocked automatically, and Windows Defender is blocking the malware involved in this attack. We’re also in the process of notifying all of our customers who have been targeted. We detected this attack and identified victims through the ongoing work of the MSTIC team in tracking nation-state actors. We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services,” Microsoft said.
Sophisticated Email-based Attack
Microsoft stated that the Nobelium group launched its attack by illicitly gaining access to the Constant Contact account of USAID, a service used for email marketing. Using this, the attackers were able to send phishing emails with a malicious link that, when clicked, downloads a malicious file used to distribute a backdoor dubbed NativeZone. The backdoor allowed attackers to launch various cybercriminal activities from stealing data to infecting other computers on a network.
As per Microsoft, the attacks from the Nobelium group are notable for three reasons:
- When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers.
- Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating.
- Nation-state cyberattacks aren’t slowing. There is a dire need for clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.