Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



CISA-FBI Alert: 350 Organizations Targeted in Attack Abusing Email Marketing Service

An alert released on Friday by the FBI and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) revealed that the number of organizations targeted in a recent attack abusing a legitimate email marketing service was higher than initially reported.

An alert released on Friday by the FBI and the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) revealed that the number of organizations targeted in a recent attack abusing a legitimate email marketing service was higher than initially reported.

Microsoft reported last week that the Russia-linked threat actor it tracks as Nobelium, which is believed to be responsible for the SolarWinds supply chain attack, had been abusing a legitimate mass email service named Constant Contact to target government and other types of organizations in the United States and a dozen other countries.

The attacks, which appear to have started on May 25, involved Nobelium compromising the Constant Contact account of the United States Agency for International Development (USAID), which is responsible for civilian foreign aid and development assistance. Microsoft said spear-phishing emails apparently coming from USAID and set up to deliver malware were sent to roughly 3,000 accounts across more than 150 organizations.

However, according to the FBI and CISA, the attackers actually sent spear-phishing emails to over 7,000 accounts at 350 organizations, including government, non-governmental and intergovernmental organizations.

Incident response firm Volexity, which has also seen the phishing emails sent out via Constant Contact, found some links to APT29, a well-known cyberspy group tied to Russia. In their joint alert, CISA and the FBI acknowledge the reports linking the USAID-themed attack to APT29, but the agencies say they have yet to attribute the campaign to any threat actor.

In their alert, the two agencies don’t mention the link to the SolarWinds attack and they don’t name the government agency being impersonated. They did note that the spoofed emails contained a legitimate Constant Contact link that redirected users to a malicious URL set up to serve a malicious ISO file containing malware and a decoy PDF document.

USAID phishing email

Microsoft noted that it had not seen “evidence of any significant number of compromised organizations at this time” and the White House reported that U.S. government agencies had largely fended off the attack.

Advertisement. Scroll to continue reading.

CISA and the FBI have shared indicators of compromise (IOCs) that organizations can use to detect attacks. They also published a separate report focusing on the malware used in the attack.

In a second new blog post on Nobelium attacks, Microsoft described four pieces of malware used by the threat actor in recent operations, specifically EnvyScout, BoomBox, NativeZone, and VaporRage.

Microsoft also mentioned in its blog posts that Nobelium has exploited an iOS zero-day in some of its attacks. The vulnerability in question, tracked as CVE-2021-1879, was patched in March by Apple, which credited Google’s Threat Analysis Group for reporting it. Apple warned at the time that the “issue may have been actively exploited,” but no other details were made public.

In its latest blog posts on Nobelium, Microsoft also only provided limited information on the use of CVE-2021-1879.

“In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served,” Microsoft said.

Related: US Expels Russian Diplomats, Imposes Sanctions for Hacking

Related: SolarWinds Shares More Information on Cyberattack Impact, Initial Access Vector

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.