The U.S. Department of Justice announced yesterday (Tuesday) that it identified two malicious domains which carried out spear phishing by sending emails disguised as messages from the U.S. Agency for International Development (USAID), and stopped their operations. Last week, Microsoft issued a warning regarding the attack, which it attributed to Nobelium, a malicious Russian group that according to its assessment is behind the attack on SolarWinds.
Last week, malicious email messages were sent to about 3,000 workers at some 150 government entities in the U.S. and abroad (in at least 24 countries), via a hacked account of an external company from which USAID sends marketing messages. In the body of the e-mail, titled "Special Alert", was a link that led to the downloading of the Cobalt Strike malware. Microsoft said that at least one quarter of the organizations operate in fields of international development and human rights, and some of them express opposition to the violations carried out by Russian President Vladimir Putin.
"Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020," the company's alert said. "These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts." Nobelium, which according to various assessments is led by Russia's intelligence and security agencies, is also known by other names such as CozyBear and APT29.
The Justice Department said that although it stopped the malicious activity, it is possible that the attackers were able to distribute additional backdoors that have yet to be discovered. However, Microsoft reported that it does not appear that the attackers succeeded in causing significant damage, thanks to the successful functioning of cyber defense software that blocked the attack automatically.
"Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation," said Assistant Attorney General John C. Demers from the Justice Department’s National Security Division. The FBI's Cyber Division said that "We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats."
"When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers," Microsoft wrote, adding that "perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations. At the height of the Covid-19 pandemic, Russian actor Strontium targeted healthcare organizations involved in vaccines….And we’ve previously disclosed activity by Strontium and other actors targeting major elections in the U.S. and elsewhere."
"This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives," Microsoft wrote. "We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules."
Meanwhile, the White House Deputy Spokesperson, Karine Jean-Pierre, said that it is estimated that malicious actors connected to Russia are also behind the cyberattack on meat processing company JBS, whose data systems in North America and Australia were compromised, and that the administration is engaging directly with the Russian government on the matter.