NOBELIUM Rides Again

Share On Facebook
Share On Twitter
Share On Linkedin

Microsoft noted in a 24 October, 2021 publication that Russia’s external intelligence service, the SVR, is behind yet another campaign to compromise targeted corporate and U.S. government networks and assets. As before, the resources of threat actors sponsored by a major nation state are focused against global IT supply chains.

SVR involved has been identified by U.S. intelligence and tracked by Microsoft as NOBELIUM. NOBELIUM is also known as the APT29 and Cozy Bear hacking groups¹. This is the same notorious threat actor that executed the SolarWinds attack against U.S. software companies in 2020. NOBELIUM appears to have been operating since 2008. They directly target government networks in Europe, research institutes, and think tanks. APT29 is infamous for their compromise of the Democratic National Committee starting in the summer of 2015.

The targeted business segment receiving attention during this attack window seems to be “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.”² Microsoft has estimated that “as many as 14 of these resellers and service providers have been compromised.” Microsoft first observed this latest campaign in May 2021 and has notified over 140 resellers and technology partners.

NOBELIUM was previously tied to attacks against critical organizations in the global IT supply chain. In the SolarWinds attack, the threat actors introduced malware via a software update platform that ultimately provided direct access to thousands of downstream customer networks. Microsoft’s conclusion is that Russia is trying to gain “long-term, systematic access to a variety of points in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of interest to the Russian government.” 

Infoblox has been tracking and investigating NOBELIUM and their various malicious efforts for some time. On 2 June, 2021, our Cyber Intelligence Unit (CIU) published the Cyber Threat Advisory: Nobelium Campaigns and Malware. In this CTA we noted that NOBELIUM began conducting a new malicious email campaign since February 2021. It differs significantly from their previous operations that ran from the widely publicized Solarwinds attack. In this early summer campaign, NOBELIUM distributed multiple waves of spear-phishing emails, each revealing an evolution of their malware delivery techniques.

The following cyber threat advisories published by Infoblox on the SolarWinds attack provide more information. 

  • Cyber Threat Advisory: SolarWinds Supply Chain Attack – FireEye had just publicly disclosed information about a supply chain attack affecting SolarWinds’ Orion IT monitoring and management software. This attack infected all versions of Orion software released between March and June 2020 with SUNBURST malware, a sophisticated backdoor that uses HTTP to communicate with attacker infrastructure. 
  • Cyber Threat Advisory: SolarWinds and SUNBURST Update – CIU gathered additional information about the wide-ranging effects of this campaign, and the update included some of the latest information from OSINT, conveyed what we have been able to validate, and provided some additional IOCs.
  • Cyber Threat Advisory: SolarWinds Second Update, included new information provided by the latest alert from CISA and recent OSINT on additional attack vectors, use of anti-analysis blocklists, additional information in privilege escalation and persistence, compromised accounts and applications in Azure/Microsoft 365 environments, and command and control (C&C) protocol. 
  • Cyber Threat Advisory: SolarWinds Third Update, included new information provided by the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Defense (DoD) Cyber National Mission Force (CNMF) on additional SolarWinds-related malware variants – referred to as SUNSHUTTLE and SOLARFLARE. This update also covered recent Russian SVR activities.

Protecting the Organization 

There are several best practices, including guidance from CISA, that should be followed to strengthen the security of an organization. They include the following:   
  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Restrict users’ ability (permissions) to install and run software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening email attachments even if the attachment is expected and the sender appears to be known. Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
  • Scan all software downloaded from the Internet prior to installation.

Leveraging DNS Security

Using a DNS security solution like Infoblox’s BloxOne Threat Defense as part of defense in depth to look at threats using DNS is recommended. Coupled with Microsoft’s recommendations for multi-factor authentication, the audit of delegated admin privileges, and more, BloxOne Threat Defense would enhance a strong ecosystem for hardened defense against sophisticated threats.

DNS security is designed to prevent users’ connection to malicious destinations, and to detect anomalous behaviors in the network such as C&C communications, advanced persistent threat activity, domain generation algorithm (DGA) activity, botnet communications, DNS tunneling, and data exfiltration. In addition, Infoblox DNS security integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically when any malicious activity is detected. This helps speed up an organization’s response to security events and rapid threat containment. 

Analyzing DNS logs is a highly effective way to see what resources a client has been accessing historically. DHCP fingerprint and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and understanding the scope of a breach. 

BloxOne Threat Defense also combines advanced analytics based on machine learning, highly accurate and aggregated threat intelligence and automation to detect and prevent a broad range of threats, including DGA families, data exfiltration, look-alike domain use, fast flux and many others.

To find out more about our programs and products please reach out to us via https://info.infoblox.com/contact-sales.html

Endnotes

¹https://attack.mitre.org/groups/G0016/

²https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/

Labels:

Michael Zuckerman

Consulting Senior Product Marketing Manager at Infoblox

Michael Zuckerman is a seasoned B2B product marketing and marketing strategy consultant with experience in the cybersecurity marketplace. Zuckerman’s domain experience in cybersecurity over the past 10 years includes DNS security, threat intelligence, threat intelligence platforms (TIP), container security, mobile device security, moving target defense, network threat analysis (AI), sandbox, deception technology, cloud access security brokers (CASB), SASE, AI based SIEM, secure collaborative governance, and related technology sets to include data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption.

View All Posts

You might also be interested in

You might also be interested in

×