In a report, the ANSSI (French National Cybersecurity Agency) revealed that it has observed several phishing campaigns directed against French entities since February 2021. These compromised email accounts of French organizations were used to spread the malware and send malicious emails to foreign institutions and they have been ascribed to the Nobelium set.
Per the report, the French entities have also been recipients of malicious emails sent from compromised foreign institutions. The agency has attributed these attacks to the Nobelium intrusion set. The Russian-backed Nobelium hacking group is also responsible for last year’s SolarWinds attack.
According to Microsoft, Nobelium was active in October 2021. The intrusion set was possibly used during attack campaigns that target Active Directory Federation Services servers to compromise government bodies, think tanks, and private firms in the U.S. and Europe.
“The Microsoft Threat Intelligence Center (MSTIC) observed NOBELIUM attempting to compromise systems through an HTML file attached to a spear-phishing email. When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system,” Microsoft added.
Recommendations
1. Restrict the execution of file attachments
Given the chain of compromise, which relies on the opening of a malicious file attachment as part of a phishing campaign, it is recommended that suspicious files are not executed.
2. Tightening Active Directory security
The intrusion set tends to focus on Active Directory (AD) servers in particular. Tighter security measures should be applied. ANSSI has produced a guide containing recommendations for security hardening, which can be found on the CERT-FR website.
The Nobelium Attacks
- Pentagon (August 2015)
- Democratic National Committee (2016)
- US think tanks and NGOs (2016)
- Norwegian government (2017)
- Dutch ministries (2017)
- Operation Ghost
- COVID-19 vaccine data (2020)
- SUNBURST malware supply chain attack (2020)
- Republican National Committee (2021)
Mandiant, which has been tracking the Russian threat actor closely since the SolarWinds supply chain attack has shared a few observations in its report.
- Compromise of multiple technology solutions, services, and reseller companies since 2020.
- Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
- Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
- Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
- Use of novel TTPs to bypass security restrictions within environments including but not limited to the extraction of virtual machines to determine internal routing configurations.
- Use of a new bespoke downloader called CEELOADER.
- Abuse of multi-factor authentication leveraging “push” notifications on smartphones.
“In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts,” Mandiant said.
This reflects what has been reported in the French organizations’ case where the compromised emails are further used to launch attacks on foreign institutions – creating routes to access other victim environments.
