Nobelium. Just a year ago, cybersecurity companies including Microsoft and FireEye associated the name with one of the biggest cyber espionage operations in history. The Nobelium hackers had succeeded in discreetly infecting the Orion software from the American company SolarWinds. Their malicious code, embedded in the official updates of Orion, had allowed them to open access to the computer networks of dozens of client organizations of the software. Among the victims were companies but especially several branches of the American government, all targeted for their strategic information.
A year later, on December 6, it was the turn of Cert de l'Anssi, the organization in charge of alerting to the main threats aimed at French organizations, to mention the name Nobelium.
Through the report, Anssi gives technical indicators that should allow defenders to better protect themselves against the group of cyberspies, at least temporarily.
Anssi warns of cyber espionage
Nobelium is part of the category of "advanced persistent threats", known by the acronym APT, which designates organizations most often funded by States. “In this appellation, the most important term is “persistent”. APTs will constantly target the same entities, where cybercriminal organizations choose the easiest targets to attack, ”explains to La Tribune Matthieu Faou, researcher on these threats for the company Eset. It is therefore not surprising that Nobelium reappeared shortly after the SolarWinds affair, despite threats of sanctions by the American authorities.
If the action of the APTs is long-term, it is because their objectives relate to cyber espionage: they seek above all to collect strategic, industrial or governmental information. To achieve this, they must infiltrate the victims' computer systems as discreetly as possible, then manage to evade detection mechanisms for as long as possible.
Nobelium, for its part, has two types of privileged targets: diplomats on the one hand, and organizations, like SolarWinds, which make it possible to hit a large number of targets per bounce. In principle, Nobelium targets know that they are in its sights, or at least that they must have a sufficiently high level of security for the strategic interest they represent.
Between trivial methods and advanced cyber espionage
Specifically, when APT hackers compromise a target's computer, they install a "shell" on it, a kind of parallel control interface, which they use to send messages and infect other people. . This is how Anssi explains that French entities have received malicious emails from foreign organizations, and vice versa.
The agency specifies that the "initial method of intrusion is unknown", and it must be said that Nobelium has at its disposal a wide arsenal of techniques, from the most trivial to the most complex. In recent phishing campaigns that Eset has observed - in waves spaced two months apart - hackers perfectly mimicked the type of mail received by diplomats, such as reports related to their activity, or invitations to embassy dinners. On the other hand, Matthieu Faou was surprised by the technical poverty of the most recent ones: “some attack chains require between 4 and 5 clicks from the target before infecting it, but also opening strange file extensions, such as .iso, a format used for storage in CD-ROMs. »
However, the more clicks a phishing requires, the less likely it is to work, since each click gives the target a greater chance of realizing the deception.
Contrary to this observation, the Mandiant company identified in a report published on December 6 new Nobelium techniques to evade detection and remain on the victim's system. And that's not all: hackers have also managed to mobilize unusual channels to reach their targets. For example, they succeeded in obtaining privileged access to cloud providers, which they used to reach the customers of the provider, their final target. Or they managed to steal session tokens, authentication cookies that allow (in some cases) to connect to an account without having the password.
Attribution, a balancing act
Particularly active, Nobelium has received several denominations - such as APT29 or Cozy Bear - since the first detection of its activity in 2008. But if its name is also known, it is because it has a rare particularity: the White House has attributed its attack on SolarWinds to the SVR, one of the branches of Russian military intelligence. In other words, according to the United States, the Russian government is hiding behind the Nobelium campaigns. This kind of precise attribution remains an unusual diplomatic fact, as even the most talkative companies usually content themselves with naming the potential country of origin of the attackers. "Trying to make attribution with only technical elements is to have a 50% risk of being wrong", warns Matthieu Faou. “Presumably the US government had access to other elements that we don't. »
Anssi, for its part, is more cautious than its American counterparts: it is content to designate a “modus operandi”, that is to say a set of tools and attack techniques used jointly. In other words, it claims that the attacks against French entities exploit Nobelium's modus operandi, but without naming the group itself, and above all, without making a link with Russian intelligence. This play on words has its importance in the diplomatic game. Moreover, even this kind of cautious attribution to a modus operandi remains very rare for Anssi, with the only Centreon case in 2020.
Francois Manens6 mins
Share :
Samsung Galaxy S22, Uncharted et pl...
Tesla: you can now enjoy YouTube in...
EM – Butler vs Purdue Basketball Li...
Nantes. A child victim of an acci...