5 Things To Know About Latest SolarWinds Hackers’ Attack: How Nobelium Leveraged Constant Contact In Phishing Campaign
Donna Goodison, Steven Burke
The latest attack by the Russia state sponsored group known as Nobelium involved the Constant Contact email marketing service. Here are five things you need to know about what Microsoft is calling ‘Another Nobelium Cyberattack.’
Nobelium Launches New Wave of Attacks By Using Constant Contact Account
The latest attack by the Russia-based group known as Nobelium this week used a government agency’s account credentials for the cloud email marketing service Constant Contact in a phishing campaign that led to the breach of 3,000 email accounts across 150 organizations.
Nobelium is the same state-sponsored organization behind the massive breach last year of the SolarWinds Orion network monitoring product. That nation-state attack sent shockwaves throughout the world with Nobelium gaining access to U.S. government agencies, critical infrastructure entities and private sector organizations.
This time, Nobelium gained access to the Constant Contact account of the United States Agency for International Development, or USAID. The government agency advances what it calls U.S. national security and economic prosperity as a means to demonstrate American generosity.
From USAID’s Constant Contact account, Nobelium was able to “distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” said Microsoft Corporate Vice President Customer Security & Trust Tom Burt. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
In an email to CRN, Constant Contact said it was aware that the “account credentials” of one of its customers was compromised and used by a malicious actor to access the customer’s Constant Contact accounts. “This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said Constant Contact.
Dirk Arends, president of Virtual Systems, a Microsoft Silver partner and cloud solution provider based in Grand Rapids, Mich., said the attack shows how state-sponsored hackers are leveraging upstream vendors to government/customer data.
“I don’t believe these attacks will curb cloud migrations, but I see much better due diligence being done by businesses and government agencies as they select partners, and that’s a good thing,” said Arends. “The bar is being raised for service providers to adhere to the highest requirements for security and compliance, and that’s good for everyone.“