NOBELIUM

Threat Actor Profile Updated 7 days ago
Download STIX
Preview STIX
Nobelium, a threat actor linked to Russia's SVR, has been noted for its persistent and malicious activities against diplomatic entities. The group has particularly targeted French interests, as reported by ANSSI (France's National Agency for the Security of Information Systems). Their methods include phishing campaigns and attempts to install Cobalt Strike, a well-known penetration testing tool often misused by attackers. Notably, in April and May 2022, Nobelium targeted numerous email addresses from the French Ministry of Foreign Affairs with phishing messages. A year later, in May 2023, they launched a similar campaign against several European embassies in Kyiv, including the French embassy. The technical sophistication of Nobelium is evident in their use of FoggyWeb to exfiltrate data from compromised servers. They were observed remotely extracting the configuration database of compromised AD FS servers, decrypted token-signing certificates, and token-decryption certificates, as well as downloading and executing additional components. In one instance, with existing administrative permissions, Nobelium dropped a malicious loader named version.dll in the %WinDir%\ADFS\ folder where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located. Furthermore, TeamViewer, a prominent IT and cybersecurity entity, recently discovered a breach in its corporate network attributed to a threat actor that some reports link to Nobelium. This incident underscores the group's capability and intent to target not only governmental and diplomatic entities but also key players in the tech industry. These actions represent a significant national security concern, endangering French, European, and potentially global interests. As the report concludes, “Nobelium’s techniques, tactics, and procedures remain mainly constant over time,” indicating a persistent threat that requires continuous vigilance and robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
6
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
Midnight Blizzard
6
Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group, has been identified as a significant cybersecurity threat with a series of high-profile attacks. The group has successfully breached several major corporations, including Hewlett Packard Enterprise (HPE) and Microsoft, as par
Cozy Bear
5
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
Bluebravo
3
BlueBravo, also known as APT29 or Nobellium, is a threat actor group linked to Russia that has been implicated in several high-profile cyberattacks. Recently, TeamViewer discovered a breach in its corporate network, with some reports attributing the intrusion to this group. BlueBravo, along with oth
The Dukes
3
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, thin
Cloaked Ursa
2
Cloaked Ursa, also known as APT29, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor linked to Russia's Foreign Intelligence Service (SVR). This group has been observed executing cyber-espionage attacks on diplomatic entities throughout Eastern Europe. It utilizes innovative tactics and
UNC2452
2
UNC2452, also known as APT29, Cozy Bear, Nobelium, and Midnight Blizzard, is a highly skilled and disciplined threat actor group linked to Russia's SVR intelligence agency. The group gained notoriety for its role in the SolarWinds compromise in December 2020, an extensive cyberattack that involved a
YTTRIUM
2
Yttrium, also known as APT29, CozyBear, UNC2452, NOBELIUM, and Midnight Blizzard, is a prominent threat actor in the cybersecurity landscape. This group has been attributed to several significant cyber-attacks, with its activities largely overlapping with those attributed to APT29 or CozyBear, accor
Darkhalo
2
DarkHalo, also known as APT29, Cozy Bear, and tracked by Microsoft as Midnight Blizzard (previously NOBELIUM), is a sophisticated threat actor suspected of executing actions with malicious intent. These actions typically involve cyber attacks and are often attributed to either individual hackers, pr
Cozybear
2
CozyBear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian state. This group has been actively engaged in cyber operations against Ukraine and its allies and has been involved in several major breaches, including attacks on Okta, Dropbox, Department o
IRON HEMLOCK
1
Iron Hemlock, a threat actor also known as APT29, Cozy Bear, BlueBravo, Cloaked Ursa, The Dukes, and Midnight Blizzard, has been identified as a significant cybersecurity concern. This group, suspected to be associated with Russia and previously identified as Nobelium, is known for executing actions
Dark Halo
1
Dark Halo, a cyber threat actor identified by cybersecurity company Volexity, has been linked to several significant cyber attacks. This group initially gained notoriety for its exploitation of the SolarWinds Orion software in June and July 2020, which resulted in a major breach of the targeted orga
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Phishing
Microsoft
Malware
russian
Backdoor
Implant
State Sponso...
Russia
Blizzard
Teamcity
Ukraine
Azure
France
Espionage
Exploit
Email Accounts
Vulnerability
Loader
Cobalt Strike
Ios
Lateral Move...
t1566.003
t1566.002
Antivirus
Decoy
Shellcode
Proxy
Beacon
Infiltration
exploitation
Ransomware
Html
At
Spyware
Cloudzy
Industrial
Github
European
Kaspersky
Sec
WinRAR
Windows
Corporate
State Sponso...
Malware Drop...
Source
Dropper
NDSC
Government
Solarwinds
Blackberry
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EnvyScoutUnspecified
4
EnvyScout is a sophisticated malware used primarily by the threat actor group NOBELIUM, also known as APT29 or Cozy Bear. This malware, tracked by Microsoft and alternatively referred to as Rootsaw, is delivered via spear-phishing emails, often disguised with seemingly harmless attachments such as t
SUNBURSTUnspecified
3
Sunburst is a highly sophisticated malware that infiltrated the SolarWinds Orion platform, an event that came to light in late 2020. The malware was embedded into the system as early as January 2019, evading detection for almost two years. The campaign was attributed to Russia's Foreign Intelligence
FoggyWebUnspecified
2
FoggyWeb is a type of malware recently discovered by Microsoft that hackers are using to remotely steal network admin credentials. The malware, which has been in use since as early as April 2021, is employed by the hacker group NOBELIUM to remotely exfiltrate the configuration database of compromise
MagicwebUnspecified
1
MagicWeb is a sophisticated malware that was first reported by Microsoft in August 2022. It was developed and deployed by the threat group Nobelium, also known as Cozy Bear or APT29, who are believed to be associated with the Russian Foreign Intelligence Service (SVR). MagicWeb is designed to exploi
NativeZoneUnspecified
1
NativeZone is a malware identified as a custom Cobalt Strike Beacon loader. This malicious software was dubbed NativeZone by Microsoft and is typically loaded and executed through rundll32.exe to deliver follow-on payloads. The malware uses DLL files, such as Document.dll and NativeCacheSvc.dll, and
RaindropUnspecified
1
Raindrop is a type of malware discovered during the Solorigate investigation, along with other malicious software such as TEARDROP, SUNBURST, and various custom loaders for the Cobalt Strike beacon. These malware types, including Raindrop, are likely generated using custom Artifact Kit templates. Ra
BoomBoxUnspecified
1
BoomBox, tracked by Microsoft as a malicious downloader, represents a significant threat in the landscape of malware. This harmful program infiltrates systems and exploits them for various nefarious purposes. It operates by first downloading an encrypted file from a Dropbox account controlled by the
SibotUnspecified
1
Sibot is a malware that operates as a dual-purpose VBScript, designed to achieve persistence on an infected machine and then download and execute payloads from a remote C2 server. It reaches out to a compromised website to download a DLL to a folder under System32. Malware is harmful software capabl
GraphicalprotonUnspecified
1
GraphicalProton is a sophisticated malware developed by the threat group known as SVR, which has been exploiting cloud-based services such as Microsoft OneDrive and Dropbox for Command and Control (C2) infrastructure. The malware uses randomly generated BMPs to exchange data with the SVR operator an
UrsaUnspecified
1
URSA is a harmful malware, typically delivered as an archive attachment to phishing emails. It operates as a backdoor into the infected system, enabling unauthorized access and exploitation. The malware has been particularly active in Latin America, where it's known as the Mispadu banking trojan. Si
TomirisUnspecified
1
Tomiris is a malicious software (malware) group that has been active since before 2019. Known for its use of the QUIETCANARY backdoor, Tomiris has expanded its capabilities and influence within the region, targeting government entities and other high-value targets. The group has shown a particular i
InvisiMoleUnspecified
1
InvisiMole is a sophisticated malware with modular architecture, designed to infiltrate and exploit computer systems undetected. It begins its operation using a wrapper DLL and performs activities through two other modules embedded in its resources. Notably, the malware is capable of scanning enable
TEARDROPUnspecified
1
Teardrop is a sophisticated malware used in cyber attacks, often associated with APT29/Cozy Bear, a group known for deploying advanced tactics and techniques. It has been linked to the Solorigate (SUNBURST) backdoor and is part of a suite of tools including Raindrop, GoldMax, and others used by the
GoldMaxUnspecified
1
GoldMax is a sophisticated malware, initially discovered to target Windows platforms with the earliest identified timestamp indicating a compilation in May 2020. The malicious software was designed by threat actors to exploit and damage computer systems, often infiltrating without the user's knowled
VaporRageUnspecified
1
VaporRage, identified and tracked by Microsoft, is a sophisticated malware variant that operates as a shellcode downloader. This malicious software, embedded within the CertPKIProvider.dll file, is part of a unique infection chain used by the cyber threat group NOBELIUM, which also includes other to
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
Tomiris GolangUnspecified
1
Tomiris Golang is a malicious software (malware) identified by its unique SHA-256 hash, fd7fe71185a70f281545a815fce9837453450bb29031954dd2301fe4da99250d. It was first introduced as a threat actor that infiltrates systems by taking over legitimate government hostnames to deploy the Tomiris Golang imp
SunshuttleUnspecified
1
Sunshuttle is a malicious software (malware) that has been linked to various cyber threats. Initial reports identified connections between Sunshuttle, a Tomiris Golang implant, NOBELIUM (also known as APT29 or TheDukes), and Kazuar, which is associated with Turla. However, interpreting these connect
KazuarUnspecified
1
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
2
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
GamaredonUnspecified
1
Gamaredon, a threat actor or Advanced Persistent Threat (APT) believed to be of Russian origin, has been actively executing malicious activities primarily against Ukraine since 2013. The group is known for its deployment of home-brewed malware through malicious documents, with the European Union's C
KimsukyUnspecified
1
Kimsuky, a threat actor linked to North Korea, has been identified as the perpetrator behind a series of advanced persistent threat (APT) attacks. The group is known for its malicious activities, which typically involve cyber espionage and targeted attacks on high-profile entities. Recently, Kimsuky
APT10Unspecified
1
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
BluenoroffUnspecified
1
BlueNoroff, a threat actor closely associated with the notorious Lazarus Group, has been actively involved in malicious cyber activities primarily targeting financial institutions and cryptocurrency businesses. Known for its sophisticated attacks on banks, casinos, fintech companies, POST software,
ElfinUnspecified
1
Elfin, also known by various names including Curious Serpens, Peach Sandstorm, APT33, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a significant threat actor with a track record of malicious cyber activities dating back to at least 2013. The group has been particularly active from 2016 to 2019, target
Circuit PandaUnspecified
1
Circuit Panda, also known as BlackTech, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard, is a significant threat actor with a history of operating against targets in East Asia, particularly Taiwan, Japan, and Hong Kong since at least 2007. This group is part of a constellation of adva
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a notable threat actor group linked to Russia. This sophisticated hacking team has been active for several years and is known for its advanced persistent threat (APT) activities. Turla's operations are characterized by the use of complex malware and backdoor exp
PhosphorusUnspecified
1
Phosphorus, also known as APT35 or Charming Kitten, is a notorious Iranian cyberespionage group linked to the Islamic Revolutionary Guard Corps (IRGC). This threat actor has been involved in a series of malicious activities, employing novel tactics and tools. A significant discovery was made by the
ACTINIUMUnspecified
1
Actinium, also known as Primitive Bear or Shuckworm, is a notable threat actor in the realm of cyber espionage, primarily focusing on Ukraine. This group is one of several Russian government Advanced Persistent Threat (APT) hacking teams that have actively engaged in cyber operations against Ukraine
STRONTIUMUnspecified
1
Strontium, also known as APT28, Fancy Bear, Forest Blizzard, and several other aliases, is a Russia-linked threat actor that has been active since at least 2007. This group, believed to be associated with the Russian General Staff Main Intelligence Directorate (GRU), has targeted governments, milita
Fancy BearUnspecified
1
Fancy Bear is a sophisticated Russian-based threat actor, also known as Sofacy or APT 28, that has been active since the mid-2000s. Fancy Bear is responsible for targeted intrusion campaigns against the Aerospace, Defense, Energy, Government and Media sectors. At the DNC, both Cozy Bear and Fancy Be
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-1879Unspecified
1
None
CVE-2023-38831Unspecified
1
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerabil
Source Document References
Information about the NOBELIUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
7 days ago
Security Affairs Malware Newsletter - Round 1
Securityaffairs
14 days ago
Russia-linked group APT29 likely breached TeamViewer
Securityaffairs
14 days ago
Russia's Midnight Blizzard stole email of more Microsoft customers
Securityaffairs
14 days ago
Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Checkpoint
20 days ago
24th June – Threat Intelligence Report - Check Point Research
Securityaffairs
21 days ago
Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs
23 days ago
Russia-linked APT Nobelium targets French diplomatic entities
DARKReading
24 days ago
Russia's Midnight Blizzard Seeks to Snow French Diplomats
InfoSecurity-magazine
24 days ago
French Diplomatic Entities Targeted by Russian-Aligned Nobelium
BankInfoSecurity
2 months ago
Check Point Alert: Attackers Targeting Poorly Secured VPNs
InfoSecurity-magazine
3 months ago
New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads
CERT-EU
4 months ago
Microsoft is Under Attack by Russian Hackers | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Nation-state hackers access Microsoft source code and steal secrets
CERT-EU
4 months ago
Moscow-Sponsored Hackers Continue to Further Hacking Attempts | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Russian cyber spies infiltrated Microsoft’s systems, accessed source code
CERT-EU
4 months ago
Microsoft says source code stolen in Russian hacking escalation
CERT-EU
4 months ago
11th March – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine
4 months ago
Russia’s Midnight Blizzard Accesses Microsoft Source Code
CERT-EU
4 months ago
Microsoft Confirms It Has Yet to Contain Russian State Hack : Tech : Tech Times | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
4 months ago
Cyber Security Today for Monday, March 11, 2024 – Breaking Bad in Cyber Security | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting