SolarWinds Hackers Return, Launch Phishing Campaign Using Compromised Account of US Foreign Aid Agency

SolarWinds Hackers Return, Launch Phishing Campaign Using Compromised Account of US Foreign Aid Agency

  • The SolarWinds hackers are back again, this time leveraging the stolen email account of a United States federal agency to run a phishing campaign against 150 government entities in 24 countries. The attack is particularly high risk as the credentials could have allowed the phishing emails to sail straight into the inboxes of thousands of recipients with sensitive job titles.
  • A blog post from Microsoft refers to the phishing campaign as resulting in “limited damage” without “any significant number of compromised organizations.”
  • The group wasted little time in distributing authentic-looking phishing emails to contacts associated with a  Constant Contact marketing email account belonging to the United States Agency for International Development (USAID), a federal government agency responsible for about half the foreign aid that the US distributes around the world.
  • It was packed with a disguised link leading to an attack site that installed the NativeZone malware. NativeZone allows for surreptitious remote control of infected systems and can be used to quietly exfiltrate sensitive data.
  • The SolarWinds hackers made attempts on some 3,000 email accounts belonging to about 150 organizations. The campaign ran through May, changing targeting and delivering techniques several times in an attempt to foil detection.
  • WHAT WE KNOW – the SolarWinds hackers have a focus on first compromising trusted sources (software updates, email accounts) and then using them to phish high-value government targets.
  • Wired is now reporting that the SolarWinds hackers are members of the SVR foreign intelligence agency, a claim that the head of the agency has denied.
  • While this relatively blunt approach was the main technique used in the phishing campaign, the hackers did alter their strategy for certain recipients with iPhones or iPads. These recipients were targeted with a zero-day vulnerability that Apple patched back in late March.

– Scott Ikeda | May 31, 2021