SolarWinds Hackers Used Constant Contact Email Service In Phishing Attack
Donna Goodison, Steven Burke
‘Nobelium launched this week’s attacks by gaining access to the Constant Contact account of the United States Agency for International Development,’ says Tom Burt, Microsoft’s corporate vice president of customer security and trust.
The Russia-based hacker group known as Nobelium—the group behind last year’s massive SolarWinds hack—are at it again, this time using cloud email marketing service Constant Contact in a phishing campaign that led to the breach of 3,000 email accounts across 150 organizations.
Microsoft revealed the latest breach from the state-sponsored hackers in a blog post titled “Another Nobelium Cyberattack” that warned part of “Nobelium’s playbook is to gain access to trusted technology providers and infect their customers.”
Nobelium launched this week’s attacks not through the SolarWinds Orion network monitoring tool but by gaining access to the Constant Contact account of the United States Agency for International Development, or USAID, Microsoft said.
“Using the legitimate mass mailing service Constant Contact, Nobelium attempted to target around 3,000 individual accounts across more than 150 organizations,” wrote Tom Burt, Microsoft’s corporate vice president of customer security and trust. “Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients.”
USAID advances what it calls U.S. national security and economic prosperity as a means to demonstrate American generosity.
With access to the Constant Contact email service through a USAID account, Nobelium was able to “distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor” called NativeZone. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Burt said.
In an email to CRN, Constant Contact said it was aware that the “account credentials” of one of its customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” Constant Contact said.
Many of the attacks targeting customers were “blocked automatically, and Windows Defender is blocking the malware involved in this attack,” Microsoft’s Burt said.
The software giant said it was in the process of notifying all customers who were targeted. “We detected this attack and identified victims through the ongoing work of the Microsoft Threat Intelligence Center (MSTIC). team in tracking nation-state actors,” Microsoft said. “We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”
While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries, according to Microsoft.
“At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work,” Burt said.
Nobelium is the same state sponsored organization behind the massive breach last year of the SolarWinds Orion network monitoring product. That nation state attack sent shockwaves throughout the world with Nobelium gaining access to U.S. government agencies, critical infrastructure entities and private sector organizations.
The injecting of malicious code into Orion between March and June 2020 allowed hackers believed to be with the Russian intelligence service, or APT29, to compromise the U.S. Departments of Defense, State, Treasury, Homeland Security and Commerce.
With the SolarWinds breach, Nobelium accessed SolarWinds’ internal systems, its Microsoft Office 365 environment and software development environment for months before carrying out their vicious cyberattack.
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech Enterprise, No. 96 on the CRN SP 500, said the use of the Constant Contact email marketing service shows that a basic phishing attack can pay big dividends for hackers.
“This latest hack really wasn’t really that sophisticated, it was just a smart way for them to get into email accounts,” Venero said of the use of the Constant Contact service. “Organizations that were using the service automatically clicked on it because it looked normal.”
Future Tech, for its part, has implemented a warning on any email that comes from outside of its domain. “We put right on top of the email: Be careful this email came from outside the Future Tech organization,” he said. “Our IT and security team put it together. Any email that is not internally generated at Future Tech through our domain is flagged.”
The use of email and cloud services by the bad actors like Nobelium have also prompted Future Tech to use in some cases an encrypted mobile communications alternative to email called Silent Circle. That service provides unlimited encrypted voice, video, messaging, sharing and conference calling. The Silent Circle encryption allows a text to be automatically deleted once it is read.
“I have moved 30 percent of my communications with executive leaders to Silent Circle,” he said. “The threat vector on email is huge. It is where all of the attacks start. The bad actors get in through email, someone clicks on it and now they are into your IT environment. I can’t control what Office 365 does or what other platforms do so I have to do something Internally to minimize my risk especially when it comes to high-level executive communications.”
The phishing attack is just another sign of the threat vector from cloud services, according to Venero. “We have always preached about the challenges of cloud services and the risks they pose to corporations and individuals,” he said. “That is not going to change. It is only going to get worse and worse.”
“I don’t think this attack, like so many others before, will have a chilling impact on cloud services,” said
Allen Falcon, CEO of Cumulus Global, a Westborough-based Microsoft partner, said he does not believe the latest breach, like so many others before it, will have a chilling effect on cloud services. “This compromise was, in effect, an identity compromise,” said Falcon.
Cloud or not, cyber-attackers will continue to target identities, because they provide access to on-premise systems as well as cloud services, he said.
For Microsoft partners, their response responsibilities remain ensuring that their ecosystems are secure, and they don‘t introduce risk to their clients, according to Falcon. They also must educate customers to the risks and pragmatic approaches to protecting their businesses; propose, implement and manage multi-vector, multi-layer security environments; and provide solutions to respond to and recover from breaches, should they occur.
“No prevention is perfect,” Falcon said.