The Russian-based hacking group, called Nobelium, managed to compromise an email marketing account for USAID and has distributed phishing emails with attached malware to the targeted companies. Earlier last year they are behind massive SolarWinds attack
Nobelium started its attacks this week by breaching USAID’s “Constant Contact” account, which is simply an email marketing account. The threat actors were “able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor NativeZone, which infects victim and steal data
All this malicious activity was blocked for Microsoft customers running Windows Defender. However, this is not something to rest on, as three major things make this attack notable, First and foremost, this attack unveils Nobelium’s standard playbook of “gain[ing] access to trusted technology providers and infect their customers.” This technique can have expansive ramifications, including increasing collateral damage in espionage while also undermining “trust in the technology ecosystem.”
Nobelium has been targeting organizations that affect issues of concern to the country from which they are operating.
Microsoft will continue to track Nobelium, and USAID has likely started an investigation to figure out how the initial breach happened. Hopefully, this attack and the recent Colonial Pipeline attack will spur better legislation and rules for cybersecurity.