The Cybersecurity and Infrastructure Security Agency (CISA) and FBI announced that a spearphishing campaign targeting government organizations, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs) is now active, affecting hundreds of different entities.
While the U.S. agencies said that they hadn’t attributed this spearphishing campaign to anyone in particular, at least for now, other security researchers already named the responsible group, Nobelium (Cozy Bear). It’s the same group behind the SolarWinds attack, one of the most significant security incidents in history.
“A sophisticated cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to spoof a U.S.-based government organization and distribute links to malicious URLs,” said the agencies in the advisory.
“A cyber threat actor leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to send phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs”, the agencies also said. “The threat actor sent spoofed emails that appeared to originate from a U.S. Government organization.”
The email contains an URL that directs the user to a malicious page from which an infected ISO file is provided. The ISO contains a DLL (a custom Cobalt Strike Beacon version 4 implant), a malicious shortcut file that executes the Cobalt Strike Beacon loader and a PDF titled “Foreign Threats to the 2020 U.S. Federal Elections” with the filename “ICA-declass.pdf.” The PDF file is actually a copy of the Intelligence Community Assessment under Executive Order 13848, which is available online from official sources.
Cobalt Strike is a commercial penetration testing tool, but it can be used by threat actors as well. It’s unclear how successful the campaign was before it was stopped, but CISA and FBI published the indicators of compromise.