8 December 2021

SolarWinds hackers target government and business entities worldwide, use novel TTPs, malware


SolarWinds hackers target government and business entities worldwide, use novel TTPs, malware

Nobelium, an APT actor believed to be behind last year’s disruptive SolarWinds supply-chain attack, has been spotted using novel tactics and custom malware in campaigns targeting multiple technology solutions, services, and reseller companies, stealing data and moving laterally across networks.

In a new report Mandiant researchers said they identified two distinct clusters of activity, UNC3004 and UNC2652 linked to UNC2452, which Microsoft tracks as Nobelium.

According to the report, Nobelium has been compromising technology solutions, services, and reseller companies since 2020, getting access to targets’ networks using stolen credentials, and leveraging novel tactics, techniques and procedures (TTPs) to bypass security restrictions within environments, as well as a new, bespoke downloader called "CEELOADER" designed to decrypt a shellcode payload to execute in memory on the compromised system, and Cobalt Strike Beacon with backdoor capabilities.

"In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts," Mandiant said.

The threat actor was also observed abusing push notifications on smartphones to bypass multi-factor authentication (MFA) protections.

"In these cases, the threat actor had a valid username and password combination," Mandiant said. "Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user's legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account."

Other notable tactics observed in the attacks include using accounts with application impersonation privileges to collect sensitive mail data, using residential IP proxy services and newly provisioned geo-located infrastructure to communicate with compromised victims, using a combination of Tor, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments.

According to Microsoft, since May 2021, Nobelium has attacked 140 managed service providers (MSPs) and cloud service providers and managed to compromise at least 14 of them.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024