NOBELIUM

Threat Actor updated 16 days ago (2024-11-08T12:40:30.622Z)

Download STIX

Preview STIX

Nobelium, a Russia-linked Advanced Persistent Threat (APT) group, also known under various aliases such as APT29, SVR group, BlueBravo, Cozy Bear, Midnight Blizzard, and The Dukes, has been actively involved in large-scale cyber espionage campaigns. The threat actor has been targeting French diplomatic entities, with over 1,000 users across more than 100 organizations being affected for intelligence gathering purposes. Furthermore, Microsoft has reported a significant spear-phishing campaign by Nobelium, dubbed Midnight Blizzard, aimed at its customer base. In addition to these attacks, the group has been exploiting vulnerabilities in Zimbra and JetBrains TeamCity servers as part of a mass scale campaign. This was brought to light by warnings from US and UK cyber agencies. A joint advisory published on October 10 highlighted an ongoing cyber espionage campaign by APT29, emphasizing the vast reach and impact of this threat actor's activities. Google TAG researchers have also observed the actions of this Russia-linked group, reinforcing its status as a significant cybersecurity threat. Nobelium has been using sophisticated techniques such as "password spray attack" to breach systems, including those of Microsoft, starting in November 2023. The group has been active since at least 2013, often focusing on intelligence gathering from governments supporting Ukraine in the ongoing war, as evidenced by their activities against several European Union (EU) governments reported in May 2023. While Nobelium was identified as a new iteration of APT29 in March 2021, it is clear that regardless of the name used, this entity continues to pose a substantial threat to global cybersecurity.

Description last updated: 2024-10-30T21:02:29.470Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
APT29 is a possible alias for NOBELIUM. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw	6
Midnight Blizzard is a possible alias for NOBELIUM. Midnight Blizzard, also known as APT29 and Cozy Bear, is a Russia-linked threat actor group believed to be tied to the country's Foreign Intelligence Service (SVR). The group has been implicated in several high-profile cyber attacks, including breaches of Microsoft and Hewlett Packard Enterprise (HP	6
Cozy Bear is a possible alias for NOBELIUM. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy	5
The Dukes is a possible alias for NOBELIUM. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in Se	4
Bluebravo is a possible alias for NOBELIUM. BlueBravo, a threat actor linked to the Russia-based Advanced Persistent Threat (APT) group APT29, has been identified as a significant cyber threat. Also known by various other names such as SVR Group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, this entity is suspected of conducting sev	3
Darkhalo is a possible alias for NOBELIUM. DarkHalo, also known as APT29, Cozy Bear, and tracked by Microsoft as Midnight Blizzard (previously NOBELIUM), is a sophisticated threat actor suspected of executing actions with malicious intent. These actions typically involve cyber attacks and are often attributed to either individual hackers, pr	2
Cloaked Ursa is a possible alias for NOBELIUM. Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout	2
UNC2452 is a possible alias for NOBELIUM. UNC2452, also known as Midnight Blizzard, Cozy Bear, APT29, and Nobelium, is a sophisticated threat actor responsible for several high-profile cyber attacks. The group gained notoriety in December 2020 when it compromised SolarWinds' supply chain, an event tracked by Mandiant, a leading cybersecurit	2
YTTRIUM is a possible alias for NOBELIUM. Yttrium, also known as APT29, CozyBear, UNC2452, NOBELIUM, and Midnight Blizzard, is a prominent threat actor in the cybersecurity landscape. This group has been attributed to several significant cyber-attacks, with its activities largely overlapping with those attributed to APT29 or CozyBear, accor	2
Cozybear is a possible alias for NOBELIUM. CozyBear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian state. This group has been actively engaged in cyber operations against Ukraine and its allies and has been involved in several major breaches, including attacks on Okta, Dropbox, Department o	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Phishing

Apt

Malware

Microsoft

Teamcity

State Sponso...

Implant

Email Accounts

russian

Russia

Blizzard

Backdoor

Source

Exploit

Ukraine

Espionage

France

Azure

Vulnerability

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The EnvyScout Malware is associated with NOBELIUM. EnvyScout is a sophisticated malware used primarily by the threat actor group NOBELIUM, also known as APT29 or Cozy Bear. This malware, tracked by Microsoft and alternatively referred to as Rootsaw, is delivered via spear-phishing emails, often disguised with seemingly harmless attachments such as t	Unspecified	4
The SUNBURST Malware is associated with NOBELIUM. Sunburst is a sophisticated malware that was detected in a major supply chain attack in December 2020. The Sunburst backdoor has been tied to Kazuar, another malicious software, due to code resemblance, indicating its high level of complexity. This malware infiltrates systems, often without the user	Unspecified	3
The FoggyWeb Malware is associated with NOBELIUM. FoggyWeb is a type of malware recently discovered by Microsoft that hackers are using to remotely steal network admin credentials. The malware, which has been in use since as early as April 2021, is employed by the hacker group NOBELIUM to remotely exfiltrate the configuration database of compromise	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with NOBELIUM. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Unspecified	2

Source Document References

Information about the NOBELIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	24 days ago	Russia-linked Midnight Blizzard APT targeted 100+ organizations with a spear-phishing campaign using RDP files
Securityaffairs	a month ago	Russia-linked group APT29 is targeting Zimbra and JetBrains TeamCity servers on a large scale
InfoSecurity-magazine	a month ago	Russia's SVR Targets Zimbra, TeamCity Servers for Cyber Espionage
Securityaffairs	3 months ago	Russia-linked APT29 reused iOS and Chrome exploits previously developed by NSO Group and Intellexa
Securityaffairs	3 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
Securityaffairs	4 months ago	security-affairs-malware-newsletter-round-5
CERT-EU	10 months ago	Microsoft hack: Company says Russian group broke into its email system using a password ‘spray attack’ \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
CERT-EU	9 months ago	Response to CISA Advisory (AA24-057A): SVR Cyber Actors Adapt Tactics for Initial Cloud Access
CERT-EU	9 months ago	Microsoft says Russian hacking group is still trying to crack its systems \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker
BankInfoSecurity	5 months ago	Russian State Hackers Target French Government for Espionage
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	4 months ago	Security Affairs Malware Newsletter - Round 2
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	5 months ago	Russia-linked group APT29 likely breached TeamViewer
Securityaffairs	5 months ago	Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs	5 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint	5 months ago	24th June – Threat Intelligence Report - Check Point Research
Securityaffairs	5 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Russia-linked APT Nobelium targets French diplomatic entities