Nobelium. Just a year ago, cybersecurity companies including Microsoft and FireEye associated the name with one of the biggest cyber espionage operations in history. The Nobelium hackers had managed to discreetly infect the Orion software of the American company SolarWinds. Their malicious code, embedded in official updates to Orion, had allowed them to gain access to the computer networks of dozens of client organizations of the software. Among the victims were companies but especially several branches of the American government, all targeted for their strategic information.
A year later, on December 6, it was the turn of Cert de l’Anssi, the body in charge of alerting to the main threats targeting French organizations, to evoke the name Nobelium.
“The Anssi observed several phishing campaigns [envoi d’emails malveillants, ndlr] against French entities since February 2021 whose technical markers correspond to the Nobelium operating procedure. These campaigns made it possible to compromise the e-mail accounts of French organizations, and to send from these accounts spoofed e-mails to foreign institutions “, writes the Cert in his alert.
Through the report, Anssi gives technical indicators that should allow defenders to better protect themselves against the group of cyber spies, at least temporarily.
The Anssi warns of cyber espionage
Nobelium falls under the category of “advanced persistent threats”, known by the acronym APT, which refers to organizations most often funded by states. ” In this name, the most important term is “persistent”. APTs will target the same entities over and over again, where cybercriminal organizations choose the easiest targets to attack », Explains to The gallery Matthieu Faou, researcher on these threats for the company Eset. It is therefore not surprising that Nobelium reappeared shortly after the SolarWinds affair, despite threats of sanctions by the American authorities.
If the action of the APT is long-term, it is because their objectives relate to cyber espionage: they seek above all to collect strategic, industrial or governmental information. To achieve this, they must infiltrate as discreetly as possible into the computer systems of victims, then manage to evade detection mechanisms for as long as possible.
Nobelium, for its part, has two types of preferred targets: diplomats on the one hand, and organizations, like SolarWinds, which allow a large number of targets to be hit per bounce. In principle, Nobelium targets know that they are in its sights, or at least, that they must have a sufficiently high level of security for the strategic interest they represent.
Between trivial methods and cutting-edge cyber espionage
Concretely, when APT hackers compromise a target’s computer, they install a “shell” in it, a kind of parallel control interface, which they use to send messages and infect other people. . This is how Anssi explains that French entities have received malicious emails from foreign organizations, and vice versa.
The agency specifies that the ” initial intrusion method is unknown ‘, and it must be said that Nobelium has at its disposal a large arsenal of techniques, from the most trivial to the most complex. In recent phishing campaigns that Eset observed – in waves spaced two months apart – hackers mimicked the type of mail diplomats received, such as business-related reports or invitations to embassy dinners. On the other hand, Matthieu Faou was surprised at the technical poverty of the most recent: “ some attack chains require between 4 and 5 clicks of the target before infecting it, but also to open strange file extensions, such as .iso, a format used for storage in CD-ROMs. »
However, the more clicks a phishing requires, the less likely it is to work, since each click gives the target a greater chance of realizing the deception.
Contrary to this observation, the Mandiant company identified in a report published on December 6 new Nobelium techniques to evade detection and stay on the victim’s system. And that’s not all: hackers have also managed to mobilize unusual channels to reach their targets. For example, they managed to gain privileged access to cloud providers, which they used to reach the provider’s customers, their final target. Or, they have managed to steal session tokens, authentication cookies that allow (in some cases) to connect to an account without having the password.
Attribution, a balancing act
Particularly active, Nobelium has received several names – such as APT29 or Cozy Bear – since the first detection of its activity in 2008. But if its name is also known, it is because it presents a rare peculiarity: the White House attributed its attack on SolarWinds to the SVR, a branch of Russian military intelligence. In other words, according to the United States, the Russian government is hiding behind the Nobelium campaigns. This kind of precise attribution remains an unusual diplomatic fact, as even the most talkative companies are generally content to point out the potential country of origin of the attackers. ” Trying to do attribution with only technical elements is to have a 50% risk of being wrong », Warns Matthieu Faou. ” Presumably the US government had access to other things we don’t have. »
The Anssi, for its part, is more cautious than its American counterparts: it is content to designate a “operating mode“, that is to say a set of tools and attack techniques used jointly. In other words, it asserts that the attacks against the French entities exploit the modus operandi of Nobelium, but without designating the group itself , and above all, without making any link with Russian intelligence. This play on words has its importance in the diplomatic game. Moreover, even this kind of cautious attribution to a modus operandi remains very rare for Anssi, with the only Centreon case in 2020.
