20 June 2024

Russian Nobelium hackers target French diplomatic entities and public orgs


Russian Nobelium hackers  target French diplomatic entities and public orgs

The French cybersecurity agency ANSSI said that Russia-linked state-sponsored threat actor, tracked as Nobelium, has been persistently targeting French diplomatic entities and public organizations since 2021.

In a new advisory, ANSSI detailed that Nobelium was involved in at least five coordinated campaigns between 2021 and 2024. The targets included the French Ministry of Culture, the French Ministry of Foreign Affairs, the National Agency for Territorial Cohesion (ANCT), and several French embassies worldwide.

Nobelium, also known as Midnight Blizzard, has been active since at least October 2020 and has history of conducting phishing campaigns targeting countries in Europe, Africa, North America, and Asia. Activities linked to this intrusion set have been publicly associated with the Russian foreign intelligence service SVR.

Nobelium's tactics often involve using compromised legitimate email accounts belonging to diplomatic staff to conduct phishing campaigns against diplomatic institutions, embassies, and consulates. These operations, publicly described as the “Diplomatic Orbiter” campaign, involve forged lure documents targeting diplomatic staff. The attackers use custom loaders to execute public tools like Cobalt Strike or Brute Ratel C4, which facilitate network access, persistence, and data exfiltration.

While cybersecurity experts and ANSSI's partners track these activities under the name APT29, the agency differentiates three distinct SVR-related intrusion sets based on evolving codes, tactics, techniques, and procedures: APT29 (The Dukes), Dark Halo, and Nobelium. APT29 has been active since at least 2008 and is notably associated with the 2015 attack on the American Democratic National Committee. Dark Halo was linked to the SolarWinds supply chain attack exposed in December 2020. Nobelium has been characterized by its specific methodologies since October 2020.

From February to May 2021, Nobelium operators exploited compromised email accounts belonging to the French Ministry of Culture and ANCT to conduct phishing campaigns. They used attachments labeled “Strategic Review” to attempt lateral movement within these information systems. Investigations by ANSSI concluded that the attackers were unsuccessful in moving laterally within the Ministry of Culture and ANCT systems.

Nobelium also targeted the French Ministry of Foreign Affairs by trying to install the Cobalt Strike tool to gain remote control of compromised machines. However, this attack was unsuccessful.

IT companies have also reported being targeted by Nobelium's operators in late 2023 and 2024. Western diplomatic entities, including embassies and Ministries of Foreign Affairs, account for most of Nobelium’s known victims. French public organizations have faced repeated phishing attacks originating from foreign institutions compromised by Nobelium.

“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia’s aggression against Ukraine. Nobelium’s activities against government and diplomatic entities represent a national security concern and endanger French and European diplomatic interests,” the agency said. “The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthen their offensive capabilities and the threat they represent. The intelligence gathered during recent attacks against IT sector entities could also facilitate Nobelium’s future operations.”

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024