According to the French national cyber-security agency ANSSI, the Russian-backed Nobelium hacking gang, which was behind last year’s SolarWinds attack, has been targeting French firms since February 2021. While the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) has not identified how Nobelium gained access to email accounts belonging to French organizations, it has been said that the hackers exploited them to send infected emails to international entities.
In turn, faked emails from servers belonging to foreign firms, thought to be hacked by the same threat actor, were forwarded to French public organizations. Nobelium’s infrastructure for cyberattacks on French firms mainly consisted of virtual private servers (VPS) from several hosting companies (favoring servers from OVH and located close to the targeted countries).
In a recently-released study, ANSSI uncovered overlaps in the tactics, methods, and procedures (TTP) between the phishing operations it monitors and the SOLARWINDS supply chain attack in 2020. To protect against the attacks of this hacker gang, ANSSI suggests limiting the execution of email attachments to prevent harmful files from being transmitted in phishing campaigns.
Using its Active Directory security hardening recommendations, the French cyber-security agency also encourages at-risk enterprises to strengthen Active Directory security (and AD servers in particular).
Nobelium (aka APT29, The Dukes, or Cozy Bear), the Russian Foreign Intelligence Service (SVR) cyber section, is the hacking gang behind last year’s SolarWinds supply-chain operation, which resulted in the intrusion of various US federal agencies. In April, the US authorities accused the SVR branch of directing SolarWinds’ “broad-scope cyber espionage effort.”
The Microsoft Threat Intelligence Center (MSTIC) released information in May on a Nobelium phishing effort that targeted government entities in 24 countries across the world. According to Microsoft, Nobelium is still attacking the worldwide IT supply chain, with 140 managed service providers (MSPs) and cloud service providers attacked and at least 14 penetrated since May 2021.
Microsoft revealed that Nobelium was the most active Russian hacking gang between July 2020 and June 2021, coordinating the cyberattacks behind 92 percent of Russia-related threat activity warnings delivered to consumers.