According to the French national cyber-security agency ANSSI, the Russian-backed Nobelium hacker group responsible for last year's SolarWinds hack has now been targeting French firms since February 2021.
Whereas the ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) has not identified how Nobelium gained access to email accounts belonging to French organizations, it has stated that the hackers exploited them to send hostile emails to international entities.
In turn, French government organizations were targeted by fraudulent emails sent from servers belonging to foreign firms, which were thought to be infiltrated by the very same threat actor. Nobelium's infrastructure for cyberattacks on French entities was primarily built utilizing virtual private servers (VPS) from several hosting companies (favoring servers from OVH and located close to the targeted countries).
"Overlaps have been identified in the tactics, techniques, and procedures (TTP) between the phishing campaigns monitored by ANSSI and the SOLARWINDS supply chain attack in 2020," ANSSI explained in a report.
ANSSI advises limiting the processing of email attachments to prohibit harmful files provided in phishing efforts to fight against this hacker group's attacks.
The French cyber-security agency additionally urges at-risk enterprises to use its Active Directory security hardening guidance to improve Active Directory security (and AD servers in particular).
Nobelium, the hacker squad responsible for last year's SolarWinds supply-chain attack, which resulted in the compromise of various US federal agencies, is the cyber department of the Russian Foreign Intelligence Service (SVR), also known as APT29, The Dukes, or Cozy Bear.
In April, the US government charged the SVR section of organizing the "broad-scope cyber-espionage campaign" that targeted SolarWinds.
Based on strategies identified in events beginning in 2018, cybersecurity firm Volexity also attributed the assaults to the same threat actor.
The Microsoft Threat Intelligence Center (MSTIC) revealed information in May on a Nobelium phishing effort that targeted government agencies from 24 countries.
Nobelium is still targeting the worldwide IT supply chain, according to Microsoft, having hit 140 managed service providers (MSPs) and cloud service providers and compromised at least 14 since May 2021.
Nobelium also attacked Active Directory Federation Services (AD FS) servers, seeking to infiltrate governments, think tanks, and private companies in the United States and Europe with the use of FoggyWeb, a new inactive and highly targeted backdoor.
In October, Microsoft disclosed that Nobelium was perhaps the most prominent Russian hacking organization throughout July 2020 and June 2021, orchestrating the attacks that were behind 92 % of the notifications Microsoft sent to customers about Russia-based threat activity.
Mandiant too linked the hacking organization to attempts to compromise government and enterprise networks throughout the world by targeting their MSPs with a new backdoor codenamed Ceeloader, which is designed to deliver more malware and capture sensitive information of political importance to Russia.
