The French national cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) revealed that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021.
The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.
NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.
The state-sponsored hackers have compromised the email accounts belonging to French organizations and used them to orchestrate spear-phishing campaigns aimed at foreign institutions.
The French Agency also reported that French public organizations were targeted with spoofed emails sent from servers belonging to foreign entities, likely compromised by the same threat actor.
“ANSSI has observed a number of phishing campaigns directed against French entities since February 2021. Technical indicators correspond to activities associated with the Nobelium intrusion set. These campaigns have succeeded in compromising email accounts belonging to French organisations, and then using these to send weaponised emails to foreign institutions.” reads the report published by ANSSI. “Moreover, French public organisations have also been recipients of spoofed emails sent from supposedly compromised foreign institutions. Overlaps have been identified in the tactics, techniques & procedures (TTP) between the phishing campaigns monitored by ANSSI and the SOLARWINDS supply chain attack in 2020.”
The payload delivered by spear-phishing attacks is a Cobalt Strike implant, while the infrastructure used in the attacks against French organizations was mainly created using virtual private servers (VPS) from different providers. The nation-state actors favor servers located close to the target countries. Experts noticed that several IP addresses within the C2 infrastructure belong to the OVH provider.
The attackers used domain names resembling legitimate domains, including names mimicking information and news websites. Most of the domains were registered with NAMESILO and NAMECHEAP.
ANSSI researchers state that threat actors focus on Active Directory (AD) servers, for this reason, they recommend organizations to improve security measures to defend them. ANSSI experts also recommend restricting the execution of email attachments to block weaponized attachments.
(SecurityAffairs – hacking, Nobelium)