Fish hook with keys on computer circuit board showing phishing campaign by SolarWinds hackers

SolarWinds Hackers Return, Launch Phishing Campaign Using Compromised Account of US Foreign Aid Agency

The SolarWinds hackers are back again, this time leveraging the stolen email account of a United States federal agency to run a phishing campaign against 150 government entities in 24 countries. The attack is particularly high risk as the credentials could have allowed the phishing emails to sail straight into the inboxes of thousands of recipients with sensitive job titles.

SolarWinds hackers continue their high-profile attacks

Microsoft has identified the SolarWinds hackers as a group called Nobelium, which was previously unknown prior to its compromise of IT resource monitoring platform Orion last year. Fortunately the current phishing campaign does not appear to have come anywhere near matching the damage done by the Orion attack, which saw tens of thousands of the platform’s customers compromised before the SolarWinds hackers were patched out of the system.

A blog post from Microsoft refers to the phishing campaign as resulting in “limited damage” without “any significant number of compromised organizations.” The attack had serious potential, however, and investigations into its reach will undoubtedly continue given the circumstances.

The phishing campaign began with the compromise of a Constant Contact marketing email account belonging to the United States Agency for International Development (USAID), a federal government agency responsible for about half the foreign aid that the US distributes around the world. The agency oversees some $27.2 billion in federal money and operates in over 100 countries.

This gave the SolarWinds hackers a major advantage that most threat actors only dream of. The attackers not only had access to a known trusted federal government email account from which to operate the phishing campaign, but also a massive email contact list spanning a variety of both domestic and foreign government agencies.

The group wasted little time in distributing authentic-looking phishing emails to these contacts, packed with a disguised link leading to an attack site that installed the NativeZone malware. NativeZone allows for surreptitious remote control of infected systems and can be used to quietly exfiltrate sensitive data. Microsoft says that the phishing campaign was initiated on January 28 of this year with a series of tracking emails meant to probe for contacts likely to click on malicious links.

The SolarWinds hackers made attempts on some 3,000 email accounts belonging to about 150 organizations. The campaign ran through May, changing targeting and delivering techniques several times in an attempt to foil detection. The peak of the campaign came on May 25 when thousands of contacts were sent phishing emails simultaneously. While the attackers were apparently sophisticated in adjusting their infrastructure and tooling for each individual target, Microsoft reports that many antivirus and antimalware systems picked up on the attack attempt and automatically blocked it. Microsoft has also since updated Windows Defender to block the malware used in the phishing campaign.

Phishing campaign sheds more light on SolarWinds hackers

When combined with the previous attack, this new phishing campaign establishes that the SolarWinds hackers have a focus on first compromising trusted sources (software updates, email accounts) and then using them to phish high-value government targets. In the Orion attack, the vast majority of compromised accounts were ignored by the hackers as they focused on federal agencies.

The target selection also increases the possibility of connection to a foreign government. Microsoft notes that between the two attacks, the SolarWinds hackers have disproportionately focused on human rights and humanitarian organizations.

Wired is now reporting that the SolarWinds hackers are members of the SVR foreign intelligence agency, a claim that the head of the agency has denied. The SVR has been implicated in attacks on the US government dating back to the 2016 election, with intelligence agencies fingering it as the main driver behind a disinformation campaign designed to get Donald Trump elected. Ilia Kolochenko, Founder and CEO and Chief Architect of ImmuniWeb, believes that the finger-pointing ultimately has little practical application for most parties involved: “Sadly, the mechanics of the modern international law is toothless to indict and prosecute a sovereign state. Thus, even if once proven that the new attack was organized by a specific country, no trial or compensation will likely take place. Sanctions and counter-sanctions are already in place since almost a decade but seem to have no effect on the surging state-sponsored hacking campaigns … Moreover, reliable attribution of these attacks to any state is somewhat problematic both technically and legally speaking. First, many nation-state actors purposely hire foreign cyber mercenaries who have no connections with their countries. Oftentimes, they deal via so-called brokerage, making attribution even harder by placing hacking orders to trusted intermediaries who later hire and pay the attackers.”

A former Department of Homeland Security cybersecurity consultant told Wired that USAID is a “a mess of unaccountable, subcontracted IT networks and infrastructure.” A breakdown of the technical aspects of the attack by Ars Technica indicates that any agencies that fell victim to the attack may be in a similar state. The phishing emails that most of the targets received had some questionable elements, but looked legitimate enough at a glance and came from a trusted “” address that was not spoofed. Recipients who clicked on the link to the documents would receive a ISO image containing a PDF file and a DLL file as well as a “reports” shortcut. The DLL was visible to the end user and would be executed in the background when the PDF was opened; a cursory knowledge of file formats should have told any end user who made it to this point that an ISO and DLL aren’t necessary to share or open a PDF, nor was the “reports” shortcut. However, the ISO was initially hosted on Firebase in an innocuous form (minus the malware payload) and Microsoft reports that it believed it was used to track who viewed the file.

Dirk Schrader, Global Vice President of Security Research at New Net Technologies (NNT), feels that incidents such as this phishing campaign may complicate future employee training given that verifying the legitimacy of sender email addresses is usually a key step: “This attack pattern shown by Nobelium and others will make employee awareness training even more difficult than it already is by using credible sources. Employees will have more difficulties with the distinction of good and bad, of trusted and untrusted, which increases the importance of having an onion layer approach to security controls, overlapping each other as a backup.”

While this relatively blunt approach was the main technique used in the phishing campaign, the hackers did alter their strategy for certain recipients with iPhones or iPads. These recipients were targeted with a zero-day vulnerability that Apple patched back in late March.