NOBELIUM APT Attacks Global IT Supply Chain to Spy on Downstream Customers

[post-views]
October 26, 2021 · 4 min read
NOBELIUM APT Attacks Global IT Supply Chain to Spy on Downstream Customers

Infamous Nobelium APT group strikes again! This time covert Russia-backed threat actor goes after technology service providers at a global scale to spy on their downstream customers. Hackers have targeted at least 140 IT service orgs since May 2021, with 14 of them being successfully compromised.

NOBELIUM APT Group

NOBELIUM APT group (APT29, CozyBear, and The Dukes) is believed to be a secretive hacking division of the Russian Foreign Intelligence Service (SVR). It is a relatively new player in the cyber threat arena, with the first red flags of APT’s activity traced back to the end of 2019. Since then, NOBELIUM earned a reputation as a highly sophisticated hacking collective leveraging an impressive batch of custom malware samples to proceed with the ground-breaking intrusions.

Initially, NOBELIUM came into the spotlight after the US government accused the group of standing behind the SolarWinds supply chain attack that ended up in the compromise of multiple US govt agencies. NOBLEIUM planted malicious strains to the systems of such high-profile targets as the Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Agency (CISA), and the US Treasury to gather surveillance data and obtain persistent backdoor access to the infrastructure.

Security analysts from Microsoft assume that NOBELIUM is constantly rising the bar in the scope and sophistication of APT’s malicious actions. Starting from the beginning of 2021, the threat actor added several new malicious samples to the toolkit, including Sunburst, Sunspot, Teardrop, Goldmax, Sibot, and GoldFinder. In May 2021, the group launched a massive spear-phishing campaign that impersonated USAID to target governments assets of 24 countries. And between July 1 and October 19 this year, Microsoft estimates over 22,868 hacking attempts against 609 vendors.

NOBELIUM Attacks Global IT Supply Chain

The new campaign, uncovered by Microsoft in October 2021, shares all the typical attributes of the NOBLEIUM tactics. To reach high-profile targets and maintain access to the systems of interest, state-sponsored actors concentrated their efforts on technology service providers. 

NOBELIUM pulled off intrusions similar to the SolarWinds incident, penetrating the privileged accounts of technology service providers to move laterally in the cloud environments and spy on the downstream customers. The majority of intrusions did not rely on any security flaws but rather on sophisticated tools and techniques, including password spraying, token theft, supply chain attacks, API abuse, and spear phishing. 

The campaign showed that NOBELIUM attempts to establish a persistent surveillance channel allowing adversaries to spy on targets of interest to the Russian government. Fortunately, the campaign was uncovered at its early stages, so IT service providers can secure their systems against NOBELIUM malicious attacks.

Microsoft has notified all affected organizations and issued technical advisory to outline NOBELIUM’s tactics and techniques.

Detecting NOBELIUM APT Attacks

To protect your company infrastructure from NOBELIUM attacks, you can download a set of Sigma rules developed by the SOC Prime Team.

Command Execution on Azure VM (via azureactivity)

The detection has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys.

The rule is mapped to MITRE ATT&CK methodology addressing the Execution, Defense Evasion, Persistence, Privilege Escalation, and Initial Access tactics. Particularly, the detection addresses the Command and Scripting Interpreter (t1059) as well as Valid Accounts (t1078) techniques. 

Service Principal Account Credentials Update (via azuread)

The detection has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys.

The rule is mapped to MITRE ATT&CK methodology addressing the Persistence tactics. Particularly, the detection addresses the Additional Cloud Credentials sub-technique (t1098.001) of the Account Manipulation (t1098) technique. 

Non-Interactive User Sign Ins (via azuread)

The detection has translations for the following SIEM SECURITY ANALYTICS platforms: Azure Sentinel, ELK Stack, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys.

The rule is mapped to MITRE ATT&CK methodology addressing the Persistence tactics and the Account Manipulation (t1098) technique. 

Follow this link to find more detection rules covering the malicious activity of the Nobelium APT.

Explore SOC Prime’s Detection as Code platform to defend against attacks faster and more efficiently than ever. Instantly hunt for the latest threats within 20+ supported SIEM XDR technologies, boost the awareness of all the latest attacks in the context of exploited vulnerabilities and MITRE ATT&CK matrix, and streamline your security operations, while getting anonymized feedback from the global cybersecurity community. Enthusiastic to craft your own detection content and get money for your contribution? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts