Nobelium Makes Russia Leader in CyberattacksMicrosoft: 58% of Attacks Reported Worldwide Originated From Russia
Tech giant Microsoft in its annual Digital Defense Report has highlighted how Russia dominates in the list of countries from which cyberattacks originated between July 2020 and June 2021. Microsoft says 58% of cyberattacks worldwide originated in Russia, and 92% of the Russia-based threat activity came from the nation-state threat group Nobelium.
Nobelium is the threat group identified as having carried out the attack on SolarWinds and its customers in December 2020. That attack affected nearly 18,000 organizations as the threat group allegedly pushed a malicious backdoor malware into the compromised entities, subsequently affecting several federal agencies along with research centers, schools, hospitals and even Microsoft itself (see: Group Behind SolarWinds Attack Targeted Microsoft Customers).
Citing the large-scale targeting by Nobelium, Microsoft calls the group the "most active nation-state group" during the reporting period. According to the report, Nobelium accounted for 59% of the total activity by all nation-state actors around the globe. Next on the list, at 16%, is Thallium, a North Korea-linked threat actor.
Microsoft calls Nobelium's operation "insidious and devastating," citing the diverse techniques that the threat group uses. "It [Nobelium's operation] is much more diverse than just the malicious backdoor. It ranges from password spray and phishing to compromise of third-party providers to facilitate future attacks," the report says.
The report also notes that Nobelium often shifts tactics and changes the verticals it targets. Following the discovery of the SolarWinds compromise, the threat group mainly targeted IT services [45%]. In time, it shifted to targeting governmental institutions and agencies [53%].
Motivation of Russian Threat Actors
Microsoft's research team has found evidence that Russian threat actors - including Nobelium, Strontium and Bromine - have attempted to infiltrate user accounts across all continents, but "they predominantly focused on organizations based in the U.S., followed by Ukraine, the U.K. and NATO allies and member states across Europe." Microsoft says Russia's declaration of these countries as being "unfriendly" is a major reason for that.
Intelligence collection was a primary motivation of Russian threat actors, Microsoft notes: "We saw data exfiltration but little evidence of disruptive or destructive activity from the groups we track. Gaining information on the policy plans and intentions of those perceived as adversaries would be standard intelligence requirements for the Russian government agencies to whom the U.S. government attributes much of this activity."
Reuters news agency, citing an undisclosed investigating team, has confirmed that Nobelium laid its hands on some critical data during the SolarWinds hack. The data includes reports on counterintelligence investigations, policies on Russia and its associated individuals, and the United States' response to COVID-19, among others.
Microsoft's report supports this revelation. It states that these threat actors collect intelligence for their own improvement and to support their current and future operational planning. Microsoft says the threat actors accessed the following information on their victims' systems and networks:
- Sanctions policy;
- Defense/intelligence policy;
- Russia policy;
- COVID-19 information;
- Cyber incident response and threat hunting techniques;
- Assessments of Russian threat actors;
- Red team tools;
- Detection signatures;
- Source code;
- CSP accounts;
- Software certificates.
Microsoft Report Takeaways
Based on the SolarWinds attack and the subsequent response from the U.S., Microsoft says there are two takeaways concerning Nobelium:
- U.S. government's uncertainty in drawing lines: In March, a former senior adviser to Britain’s Government Communications Headquarters warned the Biden administration to avoid reacting in a stringent manner to Russia's "surgical" espionage campaign. According to Microsoft, "Russian threat actors have exploited this policy ambiguity for years and could continue to do so for years to come."
- Private sector’s role in raising defenses: Microsoft and FireEye led the incident response during the SolarWinds attack. "In the future, Nobelium and other groups could move early to handicap high-profile cybersecurity teams, anticipating that doing so will slow the time to identification and remediation of intrusions against high-value targets," Microsoft says.
Cybercriminals' Safe Haven
Roger Grimes, data-driven defense evangelist at KnowBe4, tells Information Security Media Group: "In Russia, it is widely believed that its law enforcement and government officials are personally and directly profiting from cybercriminal activity. They actively take bribes to overlook criminal activity. I am not sure if that is true, but it often appears that way."
Giving an example of one such unnamed cybercriminal, he adds: "One of the top Russian cybercriminals who is sought under warrant by the U.S. government drives an expensive sports car with the license plate that says 'thief,' and he tells anyone who listens how he is friends with Russian senior law enforcement and government officials. He is not hiding. He is bragging. And it is unfortunate that many countries allow it or even seem to encourage it."
Nobelium's Other Operations
The U.S. government has linked Nobelium - also called UNC2542 by FireEye, StellarParticle by CrowdStrike, and Cozy Bear or APT29 by others - to Russia's Foreign Intelligence Service, or SVR.
In August, the U.S. Department of Justice said Nobelium attackers had compromised at least one email account at each of 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020. These various intrusions at federal prosecutors' offices targeted the Microsoft Office 365 accounts belonging to department employees. The attackers were able to access all email communications as well as message attachments, the Justice Department said (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).
In May, the group started a fresh phishing campaign that compromised a marketing firm used by the U.S. Agency for International Development, or USAID. Post-compromise, the attackers sent malicious messages to thousands of potential victims (see: SolarWinds Attackers Return With Fresh Phishing Campaign).
In March, researchers at Microsoft and FireEye disclosed that the hacker group had begun to use malware such as GoldMax, GoldFinder, Sibot and Sunshuttle. Recently, it has added a new malware dubbed FoggyWeb to its armory. FoggyWeb creates a backdoor to exfiltrate sensitive ADFS server data (see: Russia-Linked Nobelium Deploying New 'FoggyWeb' Malware).