NOBELIUM

Threat Actor updated 9 days ago (2024-08-30T07:17:59.439Z)

Download STIX

Preview STIX

Nobelium, a threat actor linked to Russia, has been identified as a significant cybersecurity concern due to its targeted attacks on diplomatic entities in France and other European Union (EU) governments. The group, known by various names including APT29, SVR Group, Cozy Bear, Midnight Blizzard, and The Dukes, has been active since at least 2013. Its operations have intensified amidst geopolitical tensions, particularly relating to Russia's aggression against Ukraine. Nobelium is suspected of operating on behalf of the Russian Foreign Intelligence Service (SVR), using cyberespionage to bolster their offensive capabilities and shape future operations. The group has employed various tactics, techniques, and procedures (TTPs) to infiltrate systems and gather intelligence. Notably, in November 2023, Nobelium executed a "password spray attack" to breach a Microsoft platform. This technique involves using the same password across multiple accounts to gain unauthorized access to a company's systems. Furthermore, Microsoft reported attempts by Nobelium, which they refer to as Midnight Blizzard, to access its internal systems and source code repositories. Despite being identified as a new iteration of APT29 in March 2021, Nobelium continues to be interchangeably referred to as APT29 in reports from multiple security vendors. The group has concentrated its efforts on countries that support Ukraine in the ongoing war, indicating a politically motivated, state-sponsored agenda. As such, it is crucial for organizations to remain vigilant and adopt robust cybersecurity measures to mitigate the risk posed by this persistent and evolving threat actor.

Description last updated: 2024-08-30T07:15:52.352Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Midnight Blizzard	6	Midnight Blizzard, a Russia-linked threat actor, has been actively engaged in large-scale cyberespionage campaigns targeting organizations worldwide. The group, also known as APT29, SVR group, BlueBravo, Cozy Bear, Nobelium, and The Dukes, has been observed by Google's Threat Analysis Group (TAG) an
APT29	6	APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, BlueBravo, and the SVR group, is a Russia-linked threat actor notorious for its malicious cyber activities. In November 2023, this entity exploited a zero-day vulnerability in WinRAR software to launch attacks against various em
Cozy Bear	5	Cozy Bear, also known as APT29, Midnight Blizzard, and Nobelium, is a threat actor believed to operate out of Russia's Foreign Intelligence Service or SVR. This group has been linked to several high-profile cyber intrusions. One of the earliest identified activities of Cozy Bear was at the Democrati
Bluebravo	3	BlueBravo, also known as APT29, Nobelium, and various other names, is a threat actor believed to be linked with the Russian government. This group has been implicated in multiple high-profile cyber-espionage incidents, including the 2020 SolarWinds attack and breaches against the Democratic National
The Dukes	3	The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor widely believed to be linked to the Russian government. The group has been active since at least 2008, conducting cyber espionage operations against various governments, think tanks, diplomatic entities, an
Darkhalo	2	DarkHalo, also known as APT29, Cozy Bear, and tracked by Microsoft as Midnight Blizzard (previously NOBELIUM), is a sophisticated threat actor suspected of executing actions with malicious intent. These actions typically involve cyber attacks and are often attributed to either individual hackers, pr
Cloaked Ursa	2	Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout
UNC2452	2	UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
YTTRIUM	2	Yttrium, also known as APT29, CozyBear, UNC2452, NOBELIUM, and Midnight Blizzard, is a prominent threat actor in the cybersecurity landscape. This group has been attributed to several significant cyber-attacks, with its activities largely overlapping with those attributed to APT29 or CozyBear, accor
Cozybear	2	CozyBear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian state. This group has been actively engaged in cyber operations against Ukraine and its allies and has been involved in several major breaches, including attacks on Okta, Dropbox, Department o

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Microsoft

Apt

Malware

Russia

Blizzard

Backdoor

State Sponso...

Implant

Email Accounts

russian

Teamcity

Source

Exploit

Ukraine

Espionage

France

Azure

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
EnvyScout	Unspecified	4	EnvyScout is a sophisticated malware used primarily by the threat actor group NOBELIUM, also known as APT29 or Cozy Bear. This malware, tracked by Microsoft and alternatively referred to as Rootsaw, is delivered via spear-phishing emails, often disguised with seemingly harmless attachments such as t
SUNBURST	Unspecified	3	Sunburst is a sophisticated malware that has been linked to the Kazuar code, indicating its complexity. It was used in several well-known cyber attack campaigns such as SUNBURST, OilRig, xHunt, DarkHydrus, and Decoy Dog, which employed DNS tunneling techniques for command and control (C2) communicat
FoggyWeb	Unspecified	2	FoggyWeb is a type of malware recently discovered by Microsoft that hackers are using to remotely steal network admin credentials. The malware, which has been in use since as early as April 2021, is employed by the hacker group NOBELIUM to remotely exfiltrate the configuration database of compromise

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
APT28	Unspecified	2	APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party

Source Document References

Information about the NOBELIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	9 days ago	Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
CERT-EU	8 months ago	Microsoft hack: Company says Russian group broke into its email system using a password ‘spray attack’ \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
CERT-EU	6 months ago	Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access
CERT-EU	6 months ago	Microsoft says Russian hacking group is still trying to crack its systems \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
BankInfoSecurity	3 months ago	Russian State Hackers Target French Government for Espionage
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Russia-linked group APT29 likely breached TeamViewer
Securityaffairs	2 months ago	Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	2 months ago	24th June – Threat Intelligence Report - Check Point Research
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Russia-linked APT Nobelium targets French diplomatic entities
DARKReading	3 months ago	Russia's Midnight Blizzard Seeks to Snow French Diplomats
InfoSecurity-magazine	3 months ago	French Diplomatic Entities Targeted by Russian-Aligned Nobelium
BankInfoSecurity	3 months ago	Check Point Alert: Attackers Targeting Poorly Secured VPNs