A Constant Contact booth display at the eAltitude Summit in 2020. Researchers from Microsoft on Thursday reported that the APT group, referred to as Nobelium, compromised a client of Constant Contact, an online marketing services company utilized largely by small businesses for publicity and mass-mailings purposes. (“Nicole Breanne – Alt Summit 2020 – Sponsors – Constant Contact-8280” by Altitude Summit is licensed under CC BY-NC 2.0)

The Russian state-sponsored hackers behind the SolarWinds supply chain attack relied on a decidedly more cybercrime-styled playbook for their latest reported attack, launching a sweeping phishing campaign designed to distribute malware to organizations via weaponized communications sent from a compromised email marketing account.

Despite the threat group’s high-profile nature, the lessons for email marketing account holders and their recipients are the same ones that apply to most other phishing attacks. Experts say that users of email services must employ proper password hygiene and use authentication tools such as multi-factor authentication to ensure no one takes over their accounts, while recipients must install effective email security solutions and be properly trained to avoid engaging with suspicious links and attachments, even when it comes from a seemingly trusted source.

Researchers from Microsoft on Thursday reported that the APT group, referred to as Nobelium, compromised a client of Constant Contact, an online marketing services company utilized largely by small businesses for publicity and mass-mailings purposes. The affected account in this case belonged the United States Agency for International Development (USAID), an independent federal agency that administers civilian foreign aid and development assistance.

Using this hijacked account, the adversaries sent phishing emails to roughly 3,000 email accounts at more than 150 different organizations, reported Microsoft blog post author Tom Burt, corporate vice president, customer security and trust. About 25% of these targets were international development, humanitarian and human rights organizations – employees of which might not flinch at the sight of an email from USAID, especially one sent from a credible and legitimate marketing service such as Constant Contact.

For that matter, “marketing is also deemed more likely to have sent an unsolicited email without ringing alarm bells compared to, say, phishing [emails] with an invoice,” Saumitra Das, chief technology officer at Blue Hexagon pointed out.

“This attack pattern shown by Nobelium and others will render employee awareness and related training even less efficient than it already is,” said Dirk Schrader, global vice president, security research at New Net Technologies. “Using credible sources as in this case, employees will have more difficulties with the distinction of those emails which are safe and those who aren’t.”

“Using legitimate infrastructure is typically the ultimate goal for any attacker, so this was a boon for Nobelium,” added Sean Nikkel, senior cyber threat intel analyst at Digital Shadows. “It’s a perfect attacker scenario and – outside of the attachments raising a red flag – would’ve probably fooled even the most cynical of security experts at first glance.”

While the operation began in late January 2021 – shortly after the SolarWinds attack was publicly exposed – it exploded in volume once the Nobelium actors began abusing the Constant Contact service in May of this year. “This new wide-scale email campaign leverages the legitimate service Constant Contact to send malicious links that were obscured behind the mailing service’s URL (many email and document services provide a mechanism to simplify the sharing of files, providing insights into who and when links are clicked),” Burt wrote.

In some cases, the phishing emails would “appear to originate from USAID<[email protected]>,while having an authentic sender email address that matches the standard Constant Contact service,” the Microsoft blog post stated. This address (which varies for each recipient) ends in@in.constantcontact.com, and… a Reply-To address of <[email protected]>was observed.”

In one featured example, the body of the text made it appear like a USAID alert with a link that supposedly produced documents on election fraud that were published by former President Donald Trump. But those who clicked would be infected with a malicious ISO file that would result in secondary payload infections. 

Sherrod DeGrippo, senior director, threat research and detection at Proofpoint, said that the adversary ripped this attack right out of the typical cybercriminal actor playbook. 

“We absolutely see these legitimate email marketing services used by attackers all day every day. It’s not just Constant Contact, it’s all of them. We also see them being used heavily by typical crimewire actor groups,” said DeGrippo. “A lot of times the actual owner of those domains has to go in and follow an authentication process from the marketing platform provider to prove that they own that domain.” But then later the domain owner is unknowingly breached, and the attackers take advantage of this false legitimacy, she explained.

DeGrippo speculated that Nobelium may have pivoted to these new tactics because “some of the spoils of SolarWinds are starting to no longer return the value that they had been.” In general, she noted, APT groups are increasingly adopting cybercriminal behaviors, in part because they are simple and quick to execute, and also because many local script kiddies or cyber gang members get recruited into these nation-state groups, where they continue to use the tactics and tricks they’re already familiar with. “They’re absolutely following the playbooks of crimeware and a lot of that is because some of these individuals maybe have come from the crimeware world,” she said.

To counter these threats, responsible password management is a must from the sender or mass mailing service’s account-holder side. Too often, said DeGrippo, marketing services are set up such that “everyone in a sales group gets the same password and can use the marketing platform however they want.” In reality, “they’ve got to have better hygiene around that,” and “they’ve got to turn on multi-factor authentication, if the particular platform allows it,” she said.

Indeed, “don’t underestimate the impact any misuse of your third-party accounts can have to your organization,” said Schrader. “Treat them like you treat your own infrastructure.”

Meanwhile, the marketing service providers themselves “need to be a little more diligent about making sure that they’re not being abused by threat actors,” DeGrippo added. Jorge Orchilles, CTO at Scythe, agreed, noting: “Our current security awareness training teaches users to not open emails from domains and addresses that they do not recognize. Using Constant Contact gets around what we have trained most users to do. Constant Contact needs to ensure all users/accounts have multi-factor authentication and security controls so this does not happen again.”

Email recipients on the other hand, should employ secure email gateway network defenses, and, if possible, fortify that offering with endpoint detection and response, she said.

Schrader similarly recommended establishing an “onion-layer approach to security controls, overlapping each other as a backup. Prevention is rather difficult when a company is at the receiving end of such malicious campaign using trusted but compromised accounts. The detection capabilities do gain importance, and along the cyber kill chain it will be about detecting malicious changes as early as possible.”

Despite the use of a trusted contact, there were suspicious aspects to these emails that employees potentially could have spotted.

“Considering what the message is saying may… be a significant clue,” said Nikkel. “USAID is involved with foreign aid, so why would they be sending messages about election fraud? Inflammatory language like this is a hallmark of any phishing campaign.”

Nikkel also suggest that recipients also glance at the URLs embedded in email links. “Though there are techniques around impersonating domains, typically, an organization like USAID or similar would have links to their existing domains or pages in the email. Simply hovering a cursor over the link will tell you everything you need to know, and if it doesn’t look trustworthy, go to the actual company site and find what you’re looking for there directly.”

“Beyond that, setting up user privileges so that not anyone can mount an ISO image or install programs or having security tools in place that can either strip or inspect attachments could also potentially defend against similar attacks,” he added.

Today, FireEye followed up on Microsoft’s blog post, noting in emailed comments that its threat intelligence team also picked up on the same activity.

“FireEye has been tracking multiple waves of related spear phishing emails that have been sent since March 2021,” wrote John Hultquist, vice president of analysis at Mandiant Threat Intelligence. “In addition to the USAID content, they have leveraged a variety of lures, including diplomatic notes and invitations from embassies. All of these operations have focused on government, think tanks, and related organizations that are traditionally targeted by [Russian Foreign Intelligence Service] SVR operations.”

“Though the SolarWinds activity was remarkable for its stealth and discipline, loud, broad spearphishing operations were once the calling card of SVR operators who often carried out noisy phishing campaigns. Those operations were often effective, gaining access to major government offices among other targets. And while the spear phishing emails were quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy,” Hultquist continued. “The most recent activity appears to have ramped up just as the supply-chain-based compromises were spinning down. Given the brazen nature of this incident, it does not appear the SVR is prepared to throttle down on their cyberespionage activity, let alone go to great efforts to hide new activity.”