Powered by MOMENTUM MEDIA
Powered by MOMENTUM MEDIA

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.

New phishing attack targets over 150 US government agencies

Microsoft reports new phishing attacks targeted staff at 150 US government agencies and related organisations.

Microsoft reports new phishing attacks targeted staff at 150 US government agencies and related organisations.

The attack was allegedly carried out by Nobelium, the same group that carried the SolarWinds attack recently. Threat actor Nobelium has been observed targeting government agencies, think tanks, consultants, and non-governmental organisations.

Advertisement
Advertisement

Organisations in the US received the largest share of attacks but the wave targeted approximately 3,000 email accounts at more than 150 different organisations, with victims spanning at least 24 countries. Microsoft observed at least a quarter of the attacks targeted organisations involved in international development, humanitarian and human rights work.

Nobelium, originating from Russia, launched the attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.

After seeing phishing attacks increase, Charlie Gero at Akamai's Security Technologies Group said the focus for end users should be on "the acceptance that everywhere on the internet can be dangerous", instead of keeping end users away from hotspots on the world wide web.

“Nobelium is doing something pretty interesting. They are storing their malware on domains that people don’t block, like Google Firebase and Dropbox. They are effectively laundering their malware through trusted SaaS providers," Gero said.

"This means protection at the DNS layer, while critically important, is obviously not enough. You need content inspection too, and that’s where SWGs (Secure Web Gateways) come into play.

"It expands the protections from focusing on keeping end users away from dangerous areas on the internet to accepting that everywhere can be dangerous, and thus scanning for viruses, performing sandboxing, etc, is a must."

Nobelium is the same threat actor behind the attacks on SolarWinds customers in 2020. These attacks appear to target government agencies involved in foreign policy as part of intelligence gathering efforts.

The new way Nobelium's phishing attacks has "confirmed Zero Trust" in a different use case, Gero added. The important takeaway from these fresh attacks is that end users "should always scan and verify information" instead of trusting content sent by other users based on location.

"In the past, we trusted users based on their location (inside the perimeter), but today we recognise that is bad and we need to verify each access based on identity, risk, and more," Gero said.

"We still often trust data based on its location [for example] 'it’s on Dropbox, and my company trusts Dropbox, so we’re good'.

"As we see, criminals are increasingly relying on this mistake of trusting content by location in order to get around enterprise protections."

[Related: CrowdStrike and EY expand global cyber partnership]

New phishing attack targets over 150 US government agencies
Cyber-security-israel.jpg
lawyersweekly logo

more from cyber security connect

Jul 28 2021
Iranian hackers pose as female to honeypot defence contractor
An Iranian linked hacking group spent years cultivating a Facebook profile to target a defence contr...
Jul 28 2021
Aus Cyber Security Centre unveils new foreign supply-chain guidelines for businesses
If there’s anything that recent cyber security attacks have taught the industry, it’s that even ...
Jul 28 2021
RMIT unveils plans to launch supercomputing facility, first Australian university to reach milestone
Melbourne’s RMIT has unveiled a plan to be Australia’s first university to launch a cloud superc...