Sapphire MSSP – NOBELIUM Phishing Campaign: May 30, 2021

On May 27^th, the Microsoft Threat Intelligence Centre (MSTIC) announced that ‘NOBELIUM’, the threat actor behind the SolarWinds compromise, had instigated another attack in the form of a persistent and evolving phishing campaign. Conducted in increasingly complex stages, this campaign has been active since January 2021. This is since the MSTIC first became aware of the operation.

The main phase has three-thousand individuals across one-hundred-and-fifty organisations. It was initiated on May the 25^th and performed over a period of several months. However, the phase began back in January 2021.

The point of compromise is an account belonging to United States Agency for Internal Development (USAID). From here, the threat actor was able to distribute fraudulent e-mails. These appeared entirely authentic to the receiver having come from a legitimate contact address.

Phases of NOBELIUM Phishing Campaign

The first phase consisted of the distribution of a phishing e-mail that leveraged Google Firebase to record any target that clicked the provided link. This URL was not linked to the malicious NOBELIUM infrastructure and was only use for reconnaissance.

The intermediate phase consisted of a marked increase in the volume of phishing e-mails along with the development of multiple delivery methods to get the payload into the target system. The payload itself communicates to the threat actor infrastructure via an ISO file. Cobalt Strike Beacon- known as ‘NativeZone’- achieves additional payloads and persistence.

Changes to Delivery Methods

Changes to delivery methods occurred throughout May 2021 until the 25^th. This had the dual purpose of identifying the most effective technique and obfuscated the attack, hampering possible mitigation and security responses. When the main phase occurred, the technique used was a simple one; a URL masquerading as a legitimate Constant Contact file share link included within the e-mail.

Microsoft released mitigation and best practice advice in relation to this campaign and are encouraging users to implement these recommendations.

Sapphire’s SOC Awareness of NOBELIUM Phishing Campaign

Sapphire ensures that client environments are protected by engaging with partners as well as threat intelligence resources. Alerting rules have leveraged & identified indicators of compromise (IoCs) such as spoofed e-mails, hash values, domains, and IP addresses. Office 365 and Exchange logs are currently subject to enhanced monitoring and review.

Analysis of this attack and the historical behaviours of the NOBELIUM group by Sapphire indicate that this operation is the first move in a wider campaign. Compromise and exfiltration of systems belonging to or associated with the United States government and its allies is the primary goal of the overall operation.

We encourage our clients to remain vigilant concerning any e-mail communication originating from US based organisations. Particularly those involved in humanitarian or development sector and to implement recommended mitigations as soon as possible.