Reviews on Nobelium Hackers

Charlie Osborne

Contributing Writer - ZDNET

The advanced persistent threat (APT) group, of Russian origin, has now pivoted to software and cloud service resellers in order to “piggyback on any direct access that resellers may have to their customers’ IT systems.”

The Redmond giant says that Nobelium’s latest campaign was spotted in May this year and no less than 140 companies have been targeted, with 14 confirmed cases of compromise.

Nobelium was responsible for the SolarWinds breach, disclosed by Microsoft and FireEye (now known as Mandiant) in December 2020.

Vasu Jakkal

Corporate Vice President, Security, Compliance, Identity, and Management - Microsoft

In many ways, the NOBELIUM nation-state cyberattack realized the deepest fears of United States cybersecurity experts, according to Microsoft 365 Security Corporate Vice President Rob Lefferts. It was a supply chain attack. It was methodically planned and executed. And it impacted multiple world-class companies with strong security teams. 

Sam Shead

CNBC

The Russian-linked hacking group that’s been blamed for an attack on the U.S. government and a significant number of private U.S. companies last year is targeting key players in the global technology supply chain, according to cybersecurity experts at Microsoft.

Nobelium, as the hacking group is known, is infamous for the SolarWinds hack.

Shaun Nichols

Tech Target Network

The infamous threat group responsible for the SolarWinds supply chain attack are back at it with a new backdoor in its arsenal.

Researchers with the Microsoft Threat Intelligence Center believe the Nobelium crew is using a piece of remote access malware dubbed “FoggyWeb” to maintain persistence on compromised Active Directory servers. The backdoor had been observed in the wild as far back as April.

“Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.”

K. Holt

Engadget

Microsoft has shared more details about a recent cyberattack campaign orchestrated by the Russian state-sponsored group blamed for last year’s devastating SolarWinds hack. The company’s cybersecurity experts warned that Nobelium is once again trying to access government and corporate networks around the world, despite President Joe Biden sanctioning Russia over previous cyberattacks.

Nathaniel Mott

Contributing Writer - PCMAG

The Microsoft Threat Intelligence Center said it’s been tracking recent activity from Nobelium, a Russia-based hacking group best known for the SolarWinds cyberattack of December 2020, and that the group managed to use information gleaned from a Microsoft worker’s device in attacks.

Nobelium followed up the SolarWinds cyberattack in May with a campaign against the US Agency for International Development (USAID). The group reportedly used one of USAID’s email marketing tools to send phishing messages to more than 150 organizations. Those messages contained a link used to distribute malware that could steal data, infect other devices, and more.

Katie Wickens

Contributing Writer - Pcgamer

Microsoft recently informed over 600 of its customers about 22,868 separate attacks by a single threat actor over a four-month period. That actor—known as Nobelium—is a hacking group suspected of being affiliated with the Russian Foreign Intelligence Service (SVR).

The recent wave came between July 1 and October 19 this year, and included over 140 retail companies and technology service providers. Tom Burt, Corporate Vice President at Microsoft says “as many as 14” of these were left compromised, though of the 600+ other targets, Burt declares the hacking success rate to be “in the low single digits,”

Zach Marzouk

ITPro

Microsoft has warned its resellers and managed service providers that the hacking group behind the SolarWinds cyber attack has now turned its attention to the company’s global supply chain.

The tech giant said that it believes the Russian state-backed hacking group, known as Nobelium, ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.

Sommer Brokaw

U.S News - UPI

“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Burt said in the blog. “This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”

Lance Whitney

Tech Republic

Known for an attack last year that exploited a security flaw in network monitoring software from SolarWinds, Nobelium has lately been targeting a different segment, specifically resellers and other service providers that manage cloud services and other technologies for customers.

The group’s likely goal is to obtain direct access that resellers have to the IT systems of their customers. If successful, Nobelium would then have a way to impersonate a technology provider and attack its downstream customers.

Guru Writer

IT Security Guru

The hackers responsible for the SolarWinds supply chain attacks have again been linked to multiple attacks targeting businesses and governments globally. The hacking group is continuing to refine and retool its methods at an incredible speed while targeting cloud solution providers, services, and reseller companies.

The intrusions are being actively tracked under two activity clusters: UNC3004 and UNC2652. Both of these are associated with UNC2452, an uncategorized hacking group, which has been tied to the Russian intelligence service. It has since been discovered that this group targets diplomatic entities using phishing emails. Victims are prompted to open HTML attachments that contain malicious JavaScript, which would drop a Cobalt Strike Beacon onto the device.

Jenna McLaughlin

Contributing Writer - NPR

“Nobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations integral to the global IT supply chain,” Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, said in a blog post on the company’s website.

“We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” he added.

The hacker group hasn’t tried to ferret out vulnerabilities in software, Burt said, but rather has been using techniques like phishing and password spray to gain entry to the targeted networks.

Geert van der Klugt

Techzine

Nobelium, the hack group held responsible for the infamous SolarWinds attack, still has a large arsenal of advanced hacking capabilities at its disposal. This is the conclusion of Mandiant security specialists in a recent study. The full potential of the alleged state-sponsored collective has not yet come to light.

Sergiu Gatlan

Bleeping Computer

The French national cyber-security agency ANSSI said today that the Russian-backed Nobelium hacking group behind last year’s SolarWinds hack has been targeting French organizations since February 2021.

While ANSSI (short for Agence Nationale de la Sécurité des Systèmes d’Information) has not determined how Nobelium compromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails targeting foreign institutions.

Anna Ribeiro

Industrial Cyber News Editor

Microsoft revealed on Sunday that Russian nation-state hacker Nobelium is attacking a different part of the supply chain, including resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. The recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain and establishes a mechanism for surveilling – now or in the future – targets of interest to the Russian government.

Jamie Tarabay & Bloomberg

Fortune News Editor

Microsoft attributes the coordinated attack, which was first observed in May, to a group called Nobelium, the same state-sponsored Russian hackers who used sophisticated intrusion techniques in 2020 to infect with malware as many as 18,000 customers of Texas-based software company SolarWinds Corp. More than 140 technology service providers and resellers have been notified as recent targets of the hackers and 14 of them are believed to have been compromised, Microsoft said in a blog on Monday.

Nobelium was also behind an attack on IT companies, governments, think tanks, and financial service entities earlier this year that spanned 36 countries, Microsoft announced in June.

Catalin Cimpanu

The Record Media News Editor

Nobelium, the Russian cyber-espionage group that has orchestrated the SolarWinds 2020 supply chain attack, has continued to carry out new attacks throughout 2021, and according to security firm Mandiant, has been using a clever trick to bypass two-factor authentication in order to access some of its targets’ accounts.

Maria Korolov

Data Center Knowledge News Editor

That group, called Nobelium, didn’t give up when their hack was discovered. Instead, they stepped up their activity. According to a report Microsoft released late last month, Nobelium has been targeting IT resellers and service providers since at least May.

“We have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” said Tom Burt, Microsoft’s corporate vice president for customer security and trust

Maria Korolov

Data Center Knowledge News Editor

That group, called Nobelium, didn’t give up when their hack was discovered. Instead, they stepped up their activity. According to a report Microsoft released late last month, Nobelium has been targeting IT resellers and service providers since at least May.

“We have notified more than 140 resellers and technology service providers that have been targeted by Nobelium,” said Tom Burt, Microsoft’s corporate vice president for customer security and trust

Cyware

Cyware News Editor

Nobelium, the infamous hacking group known for its SolarWinds supply chain attacks, is active again, breaching government and enterprise networks around the world. It is targeting cloud and managed service providers with new custom malware Ceeloader.

Enigma Soft

The Nobelium APT became a major player in the cyber-espionage landscape last year when the previously unknown hacker group staged a massive supply chain attack against software developer SolarWinds. Microsoft assigned the name Solarigate to the hacker collective at the time, but later changed it to Nobelium. Cybersecurity firm FireEye tracks the group’s activity under the designation UNC2542.

Pierluigi Paganini

Security Affairs News Editor

The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted a supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. The Nobelium cyberspies are using a new custom downloader tracked by the researchers as CEELOADER.

Dan Goodin

ARS Technica News Editor

Nobelium—the name Microsoft gave to the intruders—was eventually expelled, but the group never gave up and arguably has only become more brazen and adept at hacking large numbers of targets in a single stroke. The latest reminder of the group’s proficiency comes from security firm Mandiant, which on Monday published research detailing Nobelium’s numerous feats—and a few mistakes—as it continued to breach the networks of some of its highest-value targets.

Ravie Lakshmanan

The Hacker News Editor

Nobelium, the threat actor behind the SolarWinds compromise in December 2020, has been behind an ongoing wave of attacks that compromised 14 downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations, illustrating the adversary’s continuing interest in targeting the supply chain via the “compromise-one-to-compromise-many” approach.

Microsoft, which disclosed details of the campaign on Monday, said it notified more than 140 resellers and technology service providers since May. Between July 1 and October 19, 2021, Nobelium is said to have singled out 609 customers, who have collectively attacked a grand total of 22,868 times.

AKTUELLES, BRANCHE

Datensicherheit News Editor

According to a statement by Eric Milam, “VP of Research & Intelligence” at BlackBerry, the current reports on the latest activities of the hacker group “Nobelium” is being followed with great interest. Their attacks are currently focused on IT companies – the latest attack is an attempt by this hacker group to “systematically gain access to global technology supply chains”. The hackers primarily target cloud service providers, managed service providers, and other IT companies in order to gain access to data from global supply chains and paralyze them.

General Discussion

Reddit Platform

I just learned that the never-ending battle to keep the wolves out of my network just got harder. According to this Bloomberg article, the Russian Nobelium hackers (the ones behind the SolarWinds debacle) have been using residential proxies in their attacks, which effectively negate the benefits of geoblocking.

REBECCA MORIN

USA Today News Editor

The United States was again targeted by hackers with suspected ties to Russia.

Microsoft Vice President Tom Burt announced Thursday evening that about 3,000 email accounts across 24 countries, at more than 150 organizations were targeted in the “wave of attacks.”

Microsoft identified Nobelium as the group that carried out the cyber attacks. It’s the same group that was behind the massive SolarWinds attack late last year.

NDTV

The state-backed Russian hacking group that carried out last year’s massive SolarWinds cyberattacks is behind a new and ongoing assault against US and European targets, Microsoft said Monday.

The software giant’s Threat Intelligence Center (MSTIC) said in a blog post that the Nobelium group was attempting to gain access to customers of cloud computing services and other IT service providers to infiltrate “the governments, think tanks, and other companies they serve”.

Economictimes India Times

News Editor

The software giant’s Threat Intelligence Center (MSTIC) said in a blog post that the Nobelium group was attempting to gain access to customers of cloud computing services and other IT service providers to infiltrate “the governments, think tanks, and other companies they serve”.

Alla Yurchenko

SOC Prime News Editor

Microsoft experts have revealed a significant shift in a spear-phishing campaign launched by Russia-affiliated NOBELIUM APT against major government agencies, think tanks, and NGOs globally. According to researchers, the hacker collective attacked more than 150 organizations across 24 countries with the intent to infect victims with malware and gain covert access to the internal networks. Notably, the same actor is believed to stand behind the epoch-making SolarWinds supply-chain attack that hit the world in December 2020.

Kelsey Rees

Channel Partner Insight News Editor

Microsoft has warned that Russian hacker Nobelium, the group behind the cyberattack on SolarWinds, is targeting the global IT supply chain. The tech giant said Nobelium is attacking a different part of the supply chain: resellers and other technology service providers that customise, deploy and manage cloud services and other technologies on behalf of their customers. It observed the attacks have not attempted to exploit any flaw or vulnerability in software but rather used “well-known”.

Avertium

When it comes to highly sophisticated malware attacks, NOBELIUM takes the lead. The SolarWinds breach was just the beginning of persistent malware attacks from the threat actor. In August 2021, NOBELLIUM was seen trying to exploit a cluster of Exchange vulnerabilities known as ProxyShell (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473). The vulnerability allows threat actors to deploy web shells to unpatched Exchange servers for later access. Despite available security patches, organizations are still vulnerable due to not updating their servers.

In recent months, NOBELIUM has pivoted to attacking software and cloud service resellers. Their latest attacks include 3,000 individual accounts across more than 150 organizations. With those attacks, they used an established pattern of unique infrastructure and tools for each of their targets, enhancing their ability to go undetected for an extended period of time.

Aleem Ali

Notebookcheck News Editor

The Microsoft Corporation cautioned 140 tech retailers and IT service providers that the Russian hacking group, NOBELIUM, is pursuing them. Moreover, the Corporation proposed that these hackers aim to target ‘downstream customers’, particularly government officials. Similarly, NOBELIUM was accused of hacking SolarWinds in 2020. PCMag reported that the Russian group infiltrated SolarWinds by circulating malware-infected software amongst government agencies and private firms including Microsoft.

Michael Lipin

Voanews News Editor

As of its October 24 blog post, Microsoft said it determined that “as many as 14” of the resellers and service providers had been compromised in the Nobelium attacks, which it said involved the use of “well-known techniques, like password spray and phishing, to steal legitimate credentials and gain privileged access.”

Nobelium is the same group that Microsoft said was responsible for last year’s cyberattack on U.S. software company SolarWinds. That attack involved inserting malicious code into SolarWinds’ IT performance monitoring system, Orion, and gave the hackers access to the networks of thousands of U.S. public and private organizations that use Orion to manage their IT resources.

Richard Singha

Security boulevard News Editor

After a China-based cyber attack targeted Microsoft’s business email servers earlier this year, the tech giant has now issued a warning of an ongoing cyber attack by the Nobelium group. Microsoft warns of a sophisticated attack by the Russian hacking group targeting government agencies, NGOs, consultants, think tanks, and its customers worldwide.

In the latest cyber incident, Nobelium used a government agency’s account credentials to run a phishing campaign. This resulted in the breach of 3,000 individual accounts across more than 150 organizations.

Billy Gouveia, Kyle Schwaeble

CYBER INTELLIGENCE BRIEFING - insights.s-rminform

Nobelium hackers, the threat group behind the SolarWinds attack, have launched a new campaign against Microsoft’s customer support systemThe hackers leveraged password spraying and brute-force attacks to infiltrate a Microsoft machine. 

The hackers deployed information-stealing malware onto the Microsoft customer support machine. Microsoft contained the incident by removing access and securing the device. Any customers affected have been notified.

France24 News

Describing the cyberattack as “nation-state activity”, MSTIC said it “shares the hallmarks” of the assault on SolarWinds, a Texas-based software company targeted as its 300,000-strong customer base gave the hackers access to a huge number of companies.

Washington imposed sanctions in April and expelled Russian diplomats in retaliation for Moscow’s alleged involvement in the SolarWinds attack, as well as election interference and other hostile activity.

The latest attack has been underway since at least May, MSTIC said, with Nobelium deploying a “diverse and dynamic toolkit that includes sophisticated malware”.

Joseph Menn

Reuters News Editor

A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.

When Reuters asked about that warning, Microsoft announced the breach publicly.

After commenting on a broader phishing campaign it said had compromised a small number of entities, Microsoft said it had also found the breach of its own agent, who it said had limited powers.

Robert Carnevale

Windows Central News Editor

  • Microsoft has released a new report stating that Nobelium, a “Russian nation-state actor,” is targeting companies in the global IT supply chain ecosystem.
  • This hacking group is cited as being the same one responsible for the SolarWinds situation that took place across 2020 and early 2021, which was a big enough cyberattack that the U.S. government had to directly combat it.
  • The latest Nobelium strike targets resellers and those providing cloud technology services.

Balaji N

Gbhackers News Editor

The notorious hacking group, Nobelium is the main culprit who organized the sensational cyberattack on the American software manufacturer SolarWinds. However, the latest wave of Nobelium is aimed at the resellers and other tech service providers in the cloud. In short, they have targeted 14 IT supply chains and 140 MSPs in their latest attack wave.

Since May of this year, this Russian threat group Nobelium carried out attacks on resellers and other providers of technology services, for deployment and management of cloud services to get access to the IT networks of their customers.

Nobelium is the elite hacking group of Russia’s SVR foreign intelligence agency, and this group is also known as “Cozy Bear.” While Microsoft has notified more than 140 resellers and technology service providers since May that are targeted by the Nobelium.

Minhaj Adnan

Siasat News Editor

‘Nobelium’ was behind the cyberattacks targeting SolarWinds customers in 2020, and which the US government and others have identified as being part of Russia’s foreign intelligence service known as the SVR.

‘Nobelium’ ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers.

CBS News

The group, which Microsoft calls Nobelium, has employed a new strategy to piggyback on the direct access that cloud service resellers have to their customers’ IT systems, hoping to “more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers,” Microsoft said. Resellers act as intermediaries between software and hardware makers and product users.

SecureWorld

Secure World News Team

Nobelium is a truly persistent adversary. Often organizations fail to fully remediate incidents, leaving the threat actor access to the network after the remediation is considered complete. Nobelium is one of the best in the threat actor ecosystem at remaining undetected after a remediation attempt.

This is not a DIY project for most organizations and will likely require professional assistance to be successful due to the variety of tools and tradecraft used.

WAQAS

Hackread News Team

The IT security researchers at Microsoft have revealed that the threat actors from the Nobelium group are back in action and currently targeting resellers and Cloud service providers.

Nobelium is the same group that launched the massively devastating supply chain attacks against Texas-based SolarWinds’ Orion software last year. the infamous group is also known for using SUNBURST and TEARDROP malware.

Alex Scroxton

Computer Weekly News Editor

That is according to threat researchers at Mandiant, who are tracking this activity and have identified two clusters – it designates these as UNC3004 and UNC2652 – both of which appear to be associated with SolarWinds’ tormentors, UNC2452, also known as Nobelium, although there is insufficient evidence to confirm this is the case.

“In most instances, post-compromise activity included theft of data relevant to Russian interests,” said the researchers in a newly published disclosure notice.

“In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection and confuse attribution efforts.”

Robinson

Cole Data Privacy , Security Insider

Nobelium was behind the 2020 SolarWinds incident and is now focused on attacking “resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers.” According to Burt, Microsoft, “believe[s] Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.”

Jamie Tarabay

Bloomberg News Team

The hackers behind the notorious SolarWinds cyberattack are engaged in a fresh campaign to compromise global networks by targeting the tech supply chain, including resellers and providers of cloud technology, according to Microsoft Corp.

Microsoft attributes the coordinated attack, which was first observed in May, to a group called Nobelium, the same state-sponsored Russian hackers who used sophisticated intrusion techniques in 2020 to infect customers of Texas-based software company SolarWinds Corp. with malware. More than 140 technology service providers and resellers have been notified as recent targets of the hackers and 14 of them are believed to have been compromised, Microsoft said in a blog on Monday.

Nobelium was also behind an attack on IT companies, governments, think tanks, and financial service entities earlier this year that spanned 36 countries, Microsoft announced in June.

20minutes News

Nobelium is trying to replicate the strategy used in past attacks by targeting organizations that are integral to the IT industry’s global supply chain,” Tom Burt, vice president at Microsoft, wrote in a blog post on Sunday. responsible for customer safety.

Tom Burt specifies that these new attacks were detected from May 2021.

Microsoft has since notified more than 140 “resellers” (companies offering customization services for remote computing use) and technology server vendors that have been targeted.

Eleanor Dickinson

ARN Net News Editor

Nobelium has this time gone after more than 150 organisations, encompassing government agencies, think tanks, consultants and non-governmental organisations. Although the United States received the largest share of attacks, targeted victims span at least 24 countries, according to Microsoft.  

“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft.

Anna Ribeiro

Industrial Cyber News Editor

Microsoft has also been coordinating with others in the security community to improve its knowledge of, and protections against Nobelium’s activity, and working closely with government agencies in the U.S. and Europe. “While we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe steps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing we’ve seen between industry and government in the past two years, have put us all in a much better position to defend against them,” Brut wrote in the blog post.

Adam Rowe

tech.co News Editor

This time, it is attacking a different part of the supply chain: resellers and other technology service providers that customize, deploy and manage cloud services and other technologies on behalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner to gain access to their downstream customers.

Richard Connor

DW News Editor

The Russian-based agency that orchestrated last year’s SolarWinds cyberattacks — Nobelium — has hit hundreds more companies and organizations, according to tech giant Microsoft.

The company said it believes the activity shows Russia is seeking to grab a technological foothold in the US that would allow it better to spy on Kremlin targets, either now or in the future.

Isaiah Richard

Tech Times News Editor

Microsoft catches NOBELIUM before they can even distribute a wide-scale email URL malware, which was intended for the US technological landscape, preventing another “SolarWinds” attack from happening. NOBELIUM is a known group that was linked with the recent hack of SolarWinds and is considered to be a massive threat by the security industry.

As most people say “Crisis averted,” and that was thanks to Microsoft’s diligent monitoring and research about the threat actors otherwise known as “NOBELIUM,” which have been observed lately. The group had been making its stealthy actions since January this year, carefully planning their attack, and striking when already completing all of its variables. 

Valentin Cimino

Siecledigital News Editor

According to Anssi, the modus operandi of attackers (MOA) used during these malicious activities would have “made it possible to compromise the email accounts of French organizations, and to send from these accounts trapped emails to institutions foreign” . Conversely, several French entities received booby-trapped messages , sent by supposedly compromised foreign institutions.

Experts from the National Information Systems Security Agency believe they have recognized the group of hackers behind these attacks. By analyzing the various phishing campaigns, ANSSI finds similarities with operating methods “documented in open source” . According to them, it is Nobelium . A MOA who has already been guilty of attacks against European and American diplomatic entities.

Guenni

Born City News Team

Microsoft accuses state-related Russian hackers from the APT29 group Nobelium of successfully attacking and hacking at least 14 IT service providers in 2021. The attacks consisted of phishing and password spraying campaigns. In the campaigns, the APT29 group (Nobelium) targeted around 140 resellers of cloud and IT services around the world.

Derek B. Johnson

Scmagazine News Editor

Researchers at the threat intelligence firm say they are now tracking multiple clusters of hacking activity that trace back to Nobelium, the name given by Microsoft to the suspected Russian intelligence outfit that leveraged a corrupted update in SolarWinds IT management software last year to infect more than 100 of its customers, including at least nine federal agencies.  

The new findings — released almost a year to the day since Mandiant (then FireEye) revealed the original SolarWinds compromise — underscore how the hackers have quietly continued to pursue access to systems and data of organizations that hold value to the Russian government.  

Lauren Muskett

CFO News Editor

Microsoft admitted the Russian nation-state actor Nobelium, the hacking group infamous for the SolarWinds hack, has engaged in jeopardizing global networks by targeting the tech supply chain, including resellers and providers of cloud technology.

Microsoft informed over 140 technology service providers and resellers that Nobelium targeted them and believes the hackers have compromised 14 of them. The attackers weren’t attempting to exploit any flaws or vulnerabilities in software but instead using “well-known” techniques to steal credentials.

Martin Giles

Forbes News Editor

Now Nobelium is making headlines again with a new set of software supply-chain attacks. In a blog post published on October 24, Microsoft security executive Tom Burt said his company had uncovered signs that the hacker group has been targeting software resellers and technology service providers in the cloud computing world. Since it saw the malicious activity in May, Microsoft has notified more than 140 companies that they may have been targeted and believes that as many as 14 have been compromised.

The effort is part of a broader wave of attacks by Nobelium. In his post, Burt noted that between July 1 and October 19, Microsoft informed 609 customers it believed had been attacked a total of 22,683 times by the group, though it only had a low single-digit success rate.

Sead Fadilpašić

Techradar News Editor

Russian state-sponsored threat actor Cozy Bear (also known as APT29 or Nobelium) is deploying new tactics to sneak into Microsoft 365 accounts, in an attempt to steal sensitive foreign policy intelligence.

Bill Toulas

Bleeping Computer News Editor

The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information. Microsoft 365 is a cloud-based productivity suite predominately used by business and enterprise entities, facilitating collaboration, communication, data storage, email, office, and more.

Mandiant, who has been tracking the activities of Cozy Bear (aka APT29 and Nobelium), reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.

The researchers warn that the Russian group continues to demonstrate exceptional operational security to prevent analysts from discovering and exposing their attack methods. In a report published today, Mandiant highlights some of APT29’s advanced tactics and some of their newest TTPs (tactics, techniques, and procedures).