The Russian threat actor Nobelium, also known as Midnight Blizzard or Cozy Bear [4], has been targeting French diplomatic entities and public organizations since 2021 [2], according to the French National Cybersecurity Agency (ANSSI) [2].
Description
ANSSI observed at least five coordinated campaigns between 2021 and 2024 [2], targeting institutions such as the French Ministry of Culture [2] [3], the French Ministry of Foreign Affairs [1] [2] [3] [4], the National Agency for Territorial Cohesion (ANCT) [1] [2] [3], and French embassies worldwide [2]. The threat actor utilized compromised legitimate email accounts belonging to diplomatic staff and conducted phishing campaigns to deliver private loaders and execute public red teaming tools to access networks [2], ensure persistence [2] [3], and exfiltrate intelligence [2] [3]. In addition to diplomatic entities, Nobelium has expanded its victim list to include IT companies such as Microsoft [2], Hewlett Packard Enterprise (HPE) [1] [2] [5], and TeamCity [2]. The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators could strengthen their offensive capabilities and pose a significant threat [5]. Nobelium is believed to be affiliated with the Russian SVR intelligence service and was responsible for the SolarWinds cyberattack [4]. The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed Nobelium’s involvement in the Microsoft cyberattack in January 2024 [4]. The attacks, part of a cluster called “Diplomatic Orbiter,” have targeted organizations such as the French Ministry of Culture [3], the National Agency for Territorial Cohesion [1] [2] [3], and the French Ministry of Foreign Affairs [2] [3]. The operators behind these attacks aim to gain access to victims’ networks [3], ensure persistence [2] [3], and exfiltrate data using tools like Cobalt Strike and Brute Ratel C4 [3]. Anssi’s report also highlights that Nobelium is likely exploited on behalf of a state, affiliated with the SVR [1] [4], the foreign intelligence service of the Russian Federation [1], with a high level of activity observed since the start of the war in Ukraine [1].
Conclusion
The attacks by Nobelium on French diplomatic entities and public organizations [2], as well as IT companies, highlight the ongoing threat posed by state-affiliated threat actors. It is crucial for organizations to enhance their cybersecurity measures to protect against such attacks and mitigate potential risks. The continued activity of Nobelium, coupled with its affiliation with the Russian SVR intelligence service [4], underscores the need for increased vigilance and cooperation among international cybersecurity agencies to address and counter such threats effectively.
References
[1] https://www.gamingdeputy.com/anssi-cautions-about-russian-hackers-launching-cyberattacks-against-french-diplomacy/
[2] https://www.infosecurity-magazine.com/news/french-diplomatic-russian-nobelium/
[3] https://www.darkreading.com/remote-workforce/russia-midnight-blizzard-french-diplomats
[4] https://www.usine-digitale.fr/article/l-anssi-alerte-sur-les-cyberattaques-de-hackers-russes-contre-la-diplomatie-francaise.N2214875
[5] https://thehackernews.com/2024/06/french-diplomatic-entities-targeted-in.html