Security News > 2021 > June > SolarWinds Hackers Target Think Tanks With New 'NativeZone' Backdoor
Microsoft on Thursday disclosed that the threat actor behind the SolarWinds supply chain hack returned to the threat landscape to target government agencies, think tanks, consultants, and non-governmental organizations located across 24 countries, including the U.S. Some of the entities that were singled out include the U.S. Atlantic Council, the Organization for Security and Co-operation in Europe, the Ukrainian Anti-Corruption Action Center, the EU DisinfoLab, and the Government of Ireland's Department of Foreign Affairs.
The attacks leveraged a legitimate mass-mailing service called Constant Contact to conceal its malicious activity and masquerade as USAID, a U.S.-based development organization, for a wide-scale phishing campaign that distributed phishing emails to a variety of organizations and industry verticals.
In another variation of the targeted attacks detected before April, Nobelium experimented with profiling the target machine after the email recipient clicked the link.
"The very narrow and specific set of email identifiers and organizations observed by CTU researchers strongly indicate that the campaign is focused on U.S. and European diplomatic and policy missions that would be of interest to foreign intelligence services," researchers from Secureworks Counter Threat Unit noted.
The latest attacks add to evidence of the threat actor's recurring pattern of using unique infrastructure and tooling for each target, thereby giving the attackers a high level of stealth and enabling them to remain undetected for extended periods of time.
The ever-evolving nature of Nobelium's tradecraft is also likely to be a direct response to the highly publicized SolarWinds incident, suggesting the attackers could further continue to experiment with their methods to meet their objectives.