Nobelium, the threat actor attributed to the massive SolarWinds supply chain compromise, has been once again linked to a series of attacks targeting multiple cloud solution providers, services, and reseller companies, as the hacking group continues to refine and retool its tactics at an alarming pace in response to public disclosures.

The intrusions, which are being tracked by Mandiant under two different activity clusters UNC3004 and UNC2652, are both associated with UNC2452, an uncategorized threat group that has since been tied to the Russian intelligence service. UNC2652, in particular, has been observed targeting diplomatic entities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a Cobalt Strike Beacon onto the infected devices.

"In most instances, post compromise activity included theft of data relevant to Russian interests," Mandiant researchers Luke Jenkins, Sarah Hawley, Parnian Najafi, and Doug Bienstock said in a new report. "In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments."


The revelations come exactly a year after details emerged of a Kremlin-backed hacking campaign that breached the servers of network management provider SolarWinds to distribute tainted software binaries to a number of high-profile customers, including nine U.S. federal agencies.

If anything, the development is yet another indication of the threat actor's capacity to continually "innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts," while also highlighting the "effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations."

Microsoft had previously dubbed Nobelium as "skillful and methodic operators who follow operations security (OpSec) best practices."

Ever since the SolarWinds incident came to light, the APT group has been connected to a string of attacks aimed at think tanks, businesses, and government entities around the globe, even as an ever-expanding malware toolbox has been put to use with the goal of establishing a foothold in the attacked system and downloading other malicious components.

In late October 2021, Microsoft took the wraps off an intrusion campaign that compromised as many as 14 downstream customers of multiple cloud service providers (CSP), managed service providers (MSP), and other IT services organizations. The poisoning attacks worked by breaking into the service providers, subsequently using the privileged access and credentials belonging to these providers to strike a wide range of organizations that relied on the CSPs.

Top-notch operational security and advanced tradecraft

Some of the other techniques incorporated by the group into its playbook involve the use of credentials potentially obtained from an info-stealer malware campaign staged by a third-party actor to gain initial access to organizations, an attack sequence that resulted in the victims' workstations infected with CryptBot malware after browsing to low reputation websites offering cracked software, corroborating a similar report from Red Canary published last week.

Also employed by Nobelium is a new tool dubbed Ceeloader, a bespoke downloader that's designed to decrypt a shellcode payload to execute in memory on the compromised system, as well as the abuse of push notifications on smartphones to circumvent multi-factor authentication (MFA) protections.

"In these cases, the threat actor had a valid username and password combination," the researcher said. "Many MFA providers allow for users to accept a phone app push notification or to receive a phone call and press a key as a second factor. The threat actor took advantage of this and issued multiple MFA requests to the end user's legitimate device until the user accepted the authentication, allowing the threat actor to eventually gain access to the account."


Other tactics of note include —

  • Compromising multiple accounts within an environment and using each of those accounts for different functions to limit exposure,
  • Using a combination of Tor, Virtual Private Servers (VPS) and public Virtual Private Networks (VPN) to access victim environments,
  • Hosting second-stage payloads as encrypted blobs on legitimate websites running WordPress, and
  • Using residential IP address ranges to authenticate to victim environments.

"This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security," the researchers said. "The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.