HC3 TLP White Sector Alert: New Phishing Campaign Launched by SOLARWINDS Attackers May 28, 2021

Executive Summary

On May 28, 2020, Microsoft published details of a widespread campaign from a group they labeled NOBELIUM. NOBELIUM, attributed to the SolarWinds supply chain attack, targeted over 150 organizations with approximately 3,000 emails from a compromised email marketing service utilized by the US Agency for International Development (USAID). The masquerading USAID emails if interacted with, could infect a target system with malware and grant persistent access. HC3 recommends applying suggested Microsoft mitigations to reduce the impact of threat.

Report

The Microsoft Threat Intelligence Center (MSTIC) began monitoring a spear phishing campaign in January 2021 from a group they call NOBELIUM. NOBELIUM has been attributed to the SolarWinds attack. Microsoft observed cyberattacks by Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations. On May 25, 2021, Microsoft observed and tracked NOBELIUM changing techniques from early stages of the campaign. NOBELIUM compromised USAIDs email marketing platform, Constant Contact. The social engineering emails were labeled USAID Special Alert with references to election fraud. NOBELIUM was able to masquerade approximately 3,000 targeted emails with an attached HTML file. When this malicious attachment is opened, an embedded JavaScript deposits an ISO image file on the system. If the user opened that file, the ISO file would be mounted similar to an external/network drive. A shortcut file (LNK) would then execute an accompanying DLL, which would execute a Cobalt Strike Beacon. A malicious ISO file is then delivered to the system. The successful placement of these payloads enables NOBELIUM to laterally move throughout the compromised system and exfiltrate data.