Get in Touch Close Menu

NOBELIUM Phishing Campaign | Sapphire

9 June 2021

Sapphire MSSP – NOBELIUM Phishing Campaign: May 30, 2021

On May 27th, the Microsoft Threat Intelligence Centre (MSTIC) announced that ‘NOBELIUM’, the threat actor behind the SolarWinds compromise, had instigated another attack in the form of a persistent and evolving phishing campaign. Conducted in increasingly complex stages, this campaign has been active since January 2021. This is since the MSTIC first became aware of the operation.

The main phase has three-thousand individuals across one-hundred-and-fifty organisations. It was initiated on May the 25th and performed over a period of several months. However, the phase began back in January 2021.

The point of compromise is an account belonging to United States Agency for Internal Development (USAID). From here, the threat actor was able to distribute fraudulent e-mails. These appeared entirely authentic to the receiver having come from a legitimate contact address.

Phases of NOBELIUM Phishing Campaign

The first phase consisted of the distribution of a phishing e-mail that leveraged Google Firebase to record any target that clicked the provided link. This URL was not linked to the malicious NOBELIUM infrastructure and was only use for reconnaissance.

The intermediate phase consisted of a marked increase in the volume of phishing e-mails along with the development of multiple delivery methods to get the payload into the target system. The payload itself communicates to the threat actor infrastructure via an ISO file. Cobalt Strike Beacon- known as ‘NativeZone’- achieves additional payloads and persistence.

Changes to Delivery Methods

Changes to delivery methods occurred throughout May 2021 until the 25th. This had the dual purpose of identifying the most effective technique and obfuscated the attack, hampering possible mitigation and security responses. When the main phase occurred, the technique used was a simple one; a URL masquerading as a legitimate Constant Contact file share link included within the e-mail.

Microsoft released mitigation and best practice advice in relation to this campaign and are encouraging users to implement these recommendations.

Sapphire’s SOC Awareness of NOBELIUM Phishing Campaign

Sapphire ensures that client environments are protected by engaging with partners as well as threat intelligence resources. Alerting rules have leveraged & identified indicators of compromise (IoCs) such as spoofed e-mails, hash values, domains, and IP addresses. Office 365 and Exchange logs are currently subject to enhanced monitoring and review.

Analysis of this attack and the historical behaviours of the NOBELIUM group by Sapphire indicate that this operation is the first move in a wider campaign. Compromise and exfiltration of systems belonging to or associated with the United States government and its allies is the primary goal of the overall operation.

We encourage our clients to remain vigilant concerning any e-mail communication originating from US based organisations. Particularly those involved in humanitarian or development sector and to implement recommended mitigations as soon as possible.

Related Articles

What are Threat Actors?
25 October 2021

In the world of cybersecurity, the more you know about threat actors, the better placed you are to counteract and manage cyber threats and attacks. But what is a threat actor? We can define a threat actor as a person, group, or entity performing a cyber-attack designed to impact an organisation negatively. In other words, someone who […]

Find Out More
What makes a Good Incident Response Team? | Sapphire
19 October 2021

A cybersecurity incident response team (also known as CSIRT) is a team of cybersecurity experts available to deal with an incident occurring in an organisation. The team can be either internal or external, this depends on the nature of the incident and whether the team is equipped to deal with it effectively.  

Find Out More
An Interview with Vernon Poole on Cyber Security Culture | Sapphire
18 October 2021

It’s an exciting concept and one that many people don’t grasp. All organisations today can potentially fall victim to a cyber-attack or cyber security outage, which can cause severe damage to its ability to operate and its infrastructure. It’s more than just cyber security awareness; it requires the whole workforce to know what the risk is and the processes that need to be followed to avoid this risk.

Find Out More