Nobelium Hackers
Narkis Eatman
The Nobelium group came to light when Microsoft notified them on their website. At the end of December 2020, a series of advanced cyber attacks occurred on Solarwinds Corporation. Russian hackers are notorious and have been accused of carrying out highly sophisticated cyber attacks.
The cyber attacks by the Nobelium group were first identified by Microsoft Corporation. The company regarded this organization as an advanced persistent group (ATP), which targets network and cloud service providers through piggybacking.
However, Microsoft believed that this level of attack would have taken 1000 hackers to execute. The group is believed to carry out attacks through phishing, spray-and-pray credential stuffing, token theft, abusing APIs, etc.
Nobelium is the Russian cybercriminal group that infected a software named Orion. Then they injected it into the systems of SolarWinds Corporation through supply chain attacks, along with many other companies. The threat actors infected the software, which was provided by the SolarWinds company. This is how they targeted the customers of SolarWinds Corp.
SolarWinds Corporation is a software company that provides system management and technical services to various organizations globally. These services are meant to manage the infrastructure and monitor the network. Orion was an IT performance management system that had access to thousands of networks of customers.
The Nobelium hackers group inserted a malicious code into the Orion network management system, which was used by numerous government agencies and multinational companies globally. Due to the addition of this malicious code, the Orion Platform created a backdoor. This allowed the hackers to access accounts and impersonate users of victim organizations.
FireEye is a company that first identified the breach and notified people globally. Then Microsoft took the initiative to explore the extent of the attack. The infected software implanted by Nobelium remained undetected up to December 2020. Then, Microsoft released a series of technical guidelines to take precautionary measures for the customers.
Nation-state cyber attacks are considered some of the most malicious and dangerous. These attacks are carried out in the interest of a host country to damage the target nation. Some of the state-sponsored hackers groups are:
The purpose of state-sponsored cyber attacks is to target the critical infrastructure, think tanks, and government agencies of other countries. So, every organization keeps on improving its cyber infrastructure to defend against such attacks, and at the same time, threat actors develop sophisticated methods to carry out attacks.
Most ransomware attacks are carried out through email spamming or email spoofing. Those emails are meant to lure the target to click on a link to a phishing website, where they are asked to provide credentials. This is how they lose their credentials. Secondly, these emails might contain malware that could lead to a data breach or network breach.
Sanjana is a Security Compliance Executive working on best-of-the-industry-level compliances relevant from a cybersecurity perspective, their implementation, learning and outcomes in various business domains.
Security Compliance ExecutiveDepartment: Compliance, ThreatcopSanjana is a Security Compliance Executive working on best-of-the-industry-level compliances relevant from a cybersecurity perspective, their implementation, learning and outcomes in various business domains.
Microsoft didn't specify which countries were targeted in the recent campaign, but Nobelium has a history of conducting espionage against foreign ministries and diplomatic entities in countries that are part of NATO and the European Union.
Nobelium is responsible for several high-profile incidents, including the SolarWinds supply chain attack in 2020 that affected thousands of organizations globally and led to a series of data breaches.
During the war in Ukraine, Nobelium has carried out cyberattacks against the Ukrainian military and its political parties, as well as international governments, think tanks and nonprofit organizations.
In a recent campaign, Microsoft observed Nobelium hackers using low-reputation proxy services that allowed them to route their internet traffic through regular households instead of commercial entities. This helped hackers to conceal their actual IP address and location.
Microsoft said that it informed its customers who were targeted or impacted by the actions of a state-sponsored threat actor. However, the company did not disclose the specific names of Nobelium victims.
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Security Service (AIVD) deduced from security camera footage that it is led by the Russian Foreign Intelligence Service (SVR),[5] a view shared by the United States.[4] Cybersecurity firm CrowdStrike also previously suggested that it may be associated with either the Russian Federal Security Service (FSB) or SVR.[2] The group has been given various nicknames by other cybersecurity firms, including CozyCar,[6] CozyDuke[7][8] (by F-Secure), Dark Halo, The Dukes (by Volexity), Midnight Blizzard[9] (by Microsoft), NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM.
Kaspersky Lab determined that the earliest samples of the MiniDuke malware attributed to the group date from 2008.[1] The original code was written in assembly language.[11] Symantec believes that Cozy Bear had been compromising diplomatic organizations and governments since at least 2010.[12]
The CozyDuke malware utilises a backdoor and a dropper. The malware exfiltrates data to a command and control server. Attackers may tailor the malware to the environment.[1] The backdoor components of Cozy Bear's malware are updated over time with modifications to cryptography, trojan functionality, and anti-detection. The speed at which Cozy Bear develops and deploys its components is reminiscent of the toolset of Fancy Bear, which also uses the tools CHOPSTICK and CORESHELL.[13]
Cozy Bear's CozyDuke malware toolset is structurally and functionally similar to second stage components used in early Miniduke, Cosmicduke, and OnionDuke operations. A second stage module of the CozyDuke malware, Show.dll, appears to have been built onto the same platform as OnionDuke, suggesting that the authors are working together or are the same people.[13] The campaigns and the malware toolsets they use are referred to as the Dukes, including Cosmicduke, Cozyduke, and Miniduke.[12] CozyDuke is connected to the MiniDuke and CosmicDuke campaigns, as well as to the OnionDuke cyberespionage campaign. Each threat group tracks their targets and use toolsets that were likely created and updated by Russian speakers.[1] Following exposure of the MiniDuke in 2013, updates to the malware were written in C/C++ and it was packed with a new obfuscator.[11]
Seaduke is a highly configurable, low-profile Trojan only used for a small set of high-value targets. Typically, Seaduke is installed on systems already infected with the much more widely distributed CozyDuke.[12]
Cozy Bear appears to have different projects, with different user groups. The focus of its project "Nemesis Gemina" is military, government, energy, diplomatic and telecom sectors.[11] Evidence suggests that Cozy Bear's targets have included commercial entities and government organizations in Germany, Uzbekistan, South Korea and the US, including the US State Department and the White House in 2014.[13]
In March 2014, a Washington, D.C.-based private research institute was found to have CozyDuke (Trojan.Cozer) on their network. Cozy Bear then started an email campaign attempting to lure victims into clicking on a flash video of office monkeys that would also include malicious executables.[1][12] By July the group had compromised government networks and directed CozyDuke-infected systems to install Miniduke onto a compromised network.[12]
In the summer of 2014, digital agents of the Dutch General Intelligence and Security Service infiltrated Cozy Bear. They found that these Russian hackers were targeting the US Democratic Party, State Department and White House. Their evidence influenced the FBI's decision to open an investigation.[5][15]
In August 2015, Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system, causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation.[16][17]
In June 2016, Cozy Bear was implicated alongside the hacker group Fancy Bear in the Democratic National Committee cyber attacks.[2] While the two groups were both present in the Democratic National Committee's servers at the same time, each appeared to be unaware of the other, independently stealing the same passwords and otherwise duplicating each other's efforts.[18] A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC's network for over a year, Fancy Bear had only been there a few weeks.[19] Cozy Bear's more sophisticated tradecraft and interest in traditional long-term espionage suggest that the group originates from a separate Russian intelligence agency.[18]
After the 2016 United States presidential election, Cozy Bear was linked to a series of coordinated and well-planned spear phishing campaigns against U.S.-based think tanks and non-governmental organizations (NGOs).[20]
c80f0f1006