Full Report
Nobelium, the Russian hacking group believed to be responsible for the Solarwinds supply chain attack, has launched new attacks targeting Microsoft customers.
Analysis Summary
# Threat Actor: Nobelium
## Attribution & Identity
**Attribution:** Russian hacking group.
**Known Aliases and Associated Groups:** APT29, Cozy Bear, The Dukes.
**Historical Activities:** Believed to be responsible for the SolarWinds supply chain attack.
## Activity Summary
Nobelium launched new attacks targeting Microsoft customers. The primary focus of this recent activity was gaining access to privileged accounts. Microsoft confirmed that the majority of attack attempts were unsuccessful, with only three entities known to have been compromised to date.
## Tactics, Techniques & Procedures
- **Credential Attacks:** Employed password spraying and brute force attacks to breach privileged accounts (password spraying involves using a single common password across many accounts; brute force involves trying numerous username/password combinations).
- **Information Stealing Trojan:** Injected an information-stealing trojan onto a Microsoft Support agent’s computer to automate and scale the exfiltration of account details.
- **Phishing:** Used accessed ‘basic information’ to conduct targeted phishing attacks.
## Targeting
- **Sectors:** Primarily IT companies (57%), followed by government (20%), non-governmental organizations, think tanks, and financial services.
- **Geography:** Largely focused on US interests (about 45%), followed by the UK (10%).
- **Victims:** Microsoft customers (specifically noted: Microsoft Support agent's computer was compromised for trojan injection).
## Tools & Infrastructure
- **Malware Families Used:** Information stealing trojan.
- **Infrastructure (C2, domains, IPs):** Not specified in detail in the provided text.
## Implications
This activity demonstrates Nobelium’s continued focus on high-value targets (especially governments and IT sector supply chain entities) using sophisticated access techniques (password spraying/brute force combined with implanting Trojans via compromised internal support staff). The prior association with the SolarWinds attack suggests objectives related to persistent espionage and supply chain compromise.
## Mitigations
- Implement Multi-Factor Authentication (MFA).
- Adopt Zero-Trust Architecture.
- Secure Privileged Access Management (PAM).