Spearphishing campaign targeting government orgs

By Dylan Bushell-Embling
Tuesday, 01 June, 2021

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a threat advisory about a sophisticated spearphishing campaign targeting government organisations, intergovernmental organisations and NGOs.

Investigations have found that the threat actor sent phishing emails to more than 7000 accounts across approximately 350 such organisations, but the campaign does not appear to be specifically targeting any individual accounts.

The attacker has leveraged a compromised end-user account from Constant Contact, a legitimate email marketing software company, to distribute malicious URLs while posing as a US-based government organisation.

While open-source reporting has attributed the attack campaign to the attack group known as Nobelium, CISA and the FBI have not attributed it to any threat actor at this time.

The attack campaign linked to a ISO file containing a DLL named Documents.dll which uses the Cobalt Strike DNS beacon, as well as a decoy file which appears to be a a copy of the declassified Intelligence Community Assessment into foreign threats to the 2020 US elections.

Cobalt Strike is a commercial penetration testing tool used to conduct red team operations, and contains attack tools such as a keystroke logger, file injection capability and network services scanners.

CISA and the FBI are urging at-risk organisations to implement multifactor authentication for all accounts and carefully monitor their systems for indicators of compromise.

Image credit: ©stock.adobe.com/au/tippapatt