{"id":7236,"date":"2021-10-28T10:24:35","date_gmt":"2021-10-28T17:24:35","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7236"},"modified":"2021-10-28T10:25:32","modified_gmt":"2021-10-28T17:25:32","slug":"nobelium-rides-again","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/nobelium-rides-again\/","title":{"rendered":"NOBELIUM Rides Again"},"content":{"rendered":"

Microsoft noted in a 24 October, 2021 <\/span>publication<\/span><\/a> that Russia\u2019s external intelligence service, the SVR, is behind yet another campaign to compromise targeted corporate and U.S. government networks and assets. As before, the resources of threat actors sponsored by a major nation state are focused against global IT supply chains.<\/span><\/p>\n

SVR involved has been identified by U.S. intelligence and tracked by Microsoft as NOBELIUM. NOBELIUM is also known as the APT29 and Cozy Bear hacking groups\u00b9<\/span>. This is the same notorious threat actor that executed the SolarWinds attack against U.S. software companies in 2020. NOBELIUM appears to have been operating since 2008. They directly target government networks in Europe, research institutes, and think tanks. <\/span>APT29<\/span><\/a> is infamous for their compromise of the Democratic National Committee starting in the summer of 2015.<\/span><\/p>\n

The targeted business segment receiving attention during this attack window seems to be \u201cresellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.\u201d\u00b2<\/span> Microsoft has estimated that \u201cas many as 14 of these resellers and service providers have been compromised.\u201d Microsoft first observed this latest campaign in May 2021 and has notified over 140 resellers and technology partners.<\/span><\/p>\n

NOBELIUM was previously tied to attacks against critical organizations in the global IT supply chain. In the SolarWinds attack, the threat actors introduced malware via a software update platform that ultimately provided direct access to thousands of downstream customer networks. Microsoft\u2019s conclusion is that Russia is trying to gain \u201clong-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.\u201d\u00a0<\/span><\/p>\n

Infoblox has been tracking and investigating NOBELIUM and their various malicious efforts for some time. On 2 June, 2021, our Cyber Intelligence Unit (CIU) published the <\/span>Cyber Threat Advisory: Nobelium Campaigns and Malware<\/span><\/a>. In this CTA we noted that NOBELIUM began conducting a new malicious email campaign since February 2021. It differs significantly from their previous operations that ran from the widely publicized Solarwinds attack. In this early summer campaign, NOBELIUM distributed multiple waves of spear-phishing emails, each revealing an evolution of their malware delivery techniques.<\/span><\/p>\n

The following cyber threat advisories published by Infoblox on the SolarWinds attack provide more information.\u00a0<\/span><\/p>\n