NOBELIUM APT Targets Governments Worldwide in a Massive Spear-Phishing Campaign

Microsoft experts have revealed a significant shift in a spear-phishing campaign launched by Russia-affiliated NOBELIUM APT against major government agencies, think tanks, and NGOs globally. According to researchers, the hacker collective attacked more than 150 organizations across 24 countries with the intent to infect victims with malware and gain covert access to the internal networks. Notably, the same actor is believed to stand behind the epoch-making SolarWinds supply-chain attack that hit the world in December 2020.

Attack Kill Chain

According to the inquiry from Microsoft, the phishing campaign started in January 2021 and included a broad range of experiments and trials. Hackers switched between various delivery methods and techniques to achieve the most severe impact.

At early campaign stages, threat actors abused the Google Firebase platform to drop a malicious ISO file and track user profiles that interacted with the phishing messages. Security practitioners believe that it was an initial reconnaissance phase since no malicious payloads were delivered during this period. Further, NOBELIUM hackers have mastered their approach and started to use HTML email attachments to hide the malware within the HTML document. Nevertheless, the volume of malicious emails was considerably low, giving grounds to consider it was the final trial cycle.

In May 2021, security researchers detected a major uptick in nefarious activity. This time NOBELIUM hackers successfully took control over the official USAID account in the Constant Contact mass-emailing platform to disseminate messages posing a higher level of credibility. The emails delivered a malicious link that, if clicked, redirected victims to a bogus HTML file that dropped additional malware aimed at cyber espionage. Particularly, security researchers have tracked four samples (NativeZone, BoomBox, EnvyScout, VaporRage) being delivered in the course of the campaign. The combination of these strains allowed NOBELIUM actors to move laterally across the infected environment, download second-stage payloads, and exfiltrate victims’ information.

More than 3,000 accounts tied to 150 major government assets, consultant groups, and public entities were attacked. The massive amount of phishing emails triggered the detection systems which were able to block most of them. Nevertheless, a portion of earlier messages may have passed the automated detection routine due to improper configuration or before the protections being introduced.

Detecting NOBELIUM APT Phishing

Although some intrusions were blocked automatically, adversaries were able to penetrate dozens of organizations. To protect your company infrastructure and prevent possible infections, you can download a set of Sigma rules released by our keen Threat Bounty developers.

APT29 Phishing Campaigns

NOBELIUM CyberAttack Downloader Detection (via sysmon)

Stay tuned to our blog not to miss further detections tied to this nefarious campaign. All the new rules will be added to this blog post.

Subscribe to Threat Detection Marketplace for free and reach an extensive collection of SIEM and EDR algorithms tailored to the company’s environment and threat profile. Our SOC content library aggregates over 100K queries, parsers, SOC-ready dashboards, YARA and Snort rules, Machine Learning models, and Incident Response Playbooks mapped directly to CVE and MITRE ATT&CK® frameworks. Striving to master your threat hunting skill and craft Sigma rules? Join SOC Prime’s Threat Bounty Program!

Go to Platform Join Threat Bounty