Get in Touch Close Menu

NOBELIUM Phishing Campaign | Sapphire

9 June 2021

Sapphire MSSP – NOBELIUM Phishing Campaign: May 30, 2021

On May 27th, the Microsoft Threat Intelligence Centre (MSTIC) announced that ‘NOBELIUM’, the threat actor behind the SolarWinds compromise, had instigated another attack in the form of a persistent and evolving phishing campaign. Conducted in increasingly complex stages, this campaign has been active since January 2021. This is since the MSTIC first became aware of the operation.

The main phase has three-thousand individuals across one-hundred-and-fifty organisations. It was initiated on May the 25th and performed over a period of several months. However, the phase began back in January 2021.

The point of compromise is an account belonging to United States Agency for Internal Development (USAID). From here, the threat actor was able to distribute fraudulent e-mails. These appeared entirely authentic to the receiver having come from a legitimate contact address.

Phases of NOBELIUM Phishing Campaign

The first phase consisted of the distribution of a phishing e-mail that leveraged Google Firebase to record any target that clicked the provided link. This URL was not linked to the malicious NOBELIUM infrastructure and was only use for reconnaissance.

The intermediate phase consisted of a marked increase in the volume of phishing e-mails along with the development of multiple delivery methods to get the payload into the target system. The payload itself communicates to the threat actor infrastructure via an ISO file. Cobalt Strike Beacon- known as ‘NativeZone’- achieves additional payloads and persistence.

Changes to Delivery Methods

Changes to delivery methods occurred throughout May 2021 until the 25th. This had the dual purpose of identifying the most effective technique and obfuscated the attack, hampering possible mitigation and security responses. When the main phase occurred, the technique used was a simple one; a URL masquerading as a legitimate Constant Contact file share link included within the e-mail.

Microsoft released mitigation and best practice advice in relation to this campaign and are encouraging users to implement these recommendations.

Sapphire’s SOC Awareness of NOBELIUM Phishing Campaign

Sapphire ensures that client environments are protected by engaging with partners as well as threat intelligence resources. Alerting rules have leveraged & identified indicators of compromise (IoCs) such as spoofed e-mails, hash values, domains, and IP addresses. Office 365 and Exchange logs are currently subject to enhanced monitoring and review.

Analysis of this attack and the historical behaviours of the NOBELIUM group by Sapphire indicate that this operation is the first move in a wider campaign. Compromise and exfiltration of systems belonging to or associated with the United States government and its allies is the primary goal of the overall operation.

We encourage our clients to remain vigilant concerning any e-mail communication originating from US based organisations. Particularly those involved in humanitarian or development sector and to implement recommended mitigations as soon as possible.

Related Articles

Cyber Security Risk Management: A Detailed Guide
20 March 2023

The increased digitisation of our world means the threat of cyberattacks and data breaches continues to grow. No organisation is immune to the risks of cybersecurity threats. In fact, a recent study shows the average time to identify and contain a data breach is 277 days, at an average cost of $4.35 million. That’s why cyber […]

Find Out More
What Is UEBA? User and Entity Behaviour Analytics Guide

Traditional security measures to deal with cybersecurity threats are no longer enough to protect a company’s sensitive data and assets. Therefore, companies need a solution that can detect and respond to potential threats in real time, and that’s where user and entity behaviour analytics (UEBA) comes in. In this article, we’ll explore UEBA in more […]

Find Out More
Web Firewall Application: Securing Online Applications

Application layer attacks or DDoS (Denial of Service Attacks)are the leading cause of breaches. However, a web application firewall (WAF) prevents malicious traffic from accessing web applications. While a web application firewall is not meant to defend against all types of attacks, it is a great tool to have in your arsenal. Let’s look at […]

Find Out More