Full Report
Nobelium, the Russian hacking group believed to be responsible for the Solarwinds supply chain attack, has launched new attacks targeting Microsoft customers.
Analysis Summary
# Threat Actor: Nobelium (APT29 / Cozy Bear / The Dukes)
## Attribution & Identity
**Country of Origin:** Russia (Believed to be responsible for the SolarWinds supply chain attack).
**Known Aliases and Associated Groups:** APT29, Cozy Bear, The Dukes.
## Activity Summary
The actor launched new attacks primarily targeting Microsoft customers, following their widely known involvement in the SolarWinds supply chain attack. The focus of these recent attacks was on breaching privileged accounts. Microsoft indicated that the majority of attack attempts were unsuccessful, with three compromised entities known to date.
## Tactics, Techniques & Procedures
- **Account Takeover Attempts:** Focused on breaching privileged accounts.
- **Password Spraying:** Methodically using the same single password across multiple accounts.
- **Brute Force Attacks:** Attempting to breach login portals with a barrage of username/password combinations (noted as accounting for 80% of cyber attacks on web applications generally).
- **Information Stealing Trojan Injection:** Injected a trojan onto a Microsoft Support agent’s computer to automate and scale the exfiltration of account details.
- **Phishing:** Used accessed 'basic information' in targeted phishing attacks.
## Targeting
- **Sectors:** Primarily IT companies (57%), followed by Government (20%), non-governmental organizations, think tanks, and financial services.
- **Geography:** Largely focused on US interests (about 45%), followed by the UK (10%).
- **Victims:** Unknown specific organizations mentioned beyond the general customer base of Microsoft; three entities were confirmed compromised.
## Tools & Infrastructure
**Malware families used:** Information stealing trojan (used to exfiltrate details).
**Infrastructure (C2, domains, IPs):** Not specified in detail, only that they targeted Microsoft customers via attacks leveraging credentials and possible access gained through a Microsoft Support agent.
## Implications
Nobelium continues to evolve its targeting post-SolarWinds, focusing on specific high-value entities within the IT and Government sectors globally. Their use of advanced techniques like trojan injection against support personnel paired with high-volume credential attacks signifies a persistent, sophisticated threat aiming for critical infrastructure and privileged access, mirroring the complexity seen in their prior major campaigns.
## Mitigations
- Implement Multi-Factor Authentication (MFA).
- Implement Zero-Trust Architecture.
- Secure Privileged Access Management (PAM).