📢 April 18, 2023 - Microsoft has changed its naming taxonomy for threat actors, moving away from using element symbols to using weather-related names. APT29 attack was named Midnight Blizzard in Microsoft's new naming taxonomy for threat actors. In this blog, I will use the name "NOBELIUM" instead of Midnight Blizzard.
NOBELIUM is a Russian state-sponsored hacking group that conducts cyber espionage and attacks against various targets. It was previously known as APT29 or Cozy Bear and is responsible for high-profile attacks such as the SolarWinds hack.
According to Microsoft Security blog update,
Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.
SolarWinds, the SUNBURST backdoor, TEARDROP malware, Supply chain attack, Solorigate
The attackers added malicious code to the SolarWinds Orion Platform DLL file, which was distributed as part of a software update. The DLL file was digitally signed, indicating that the attackers had access to the company's software development and distribution pipeline. The malicious code created a backdoor, which allowed the attackers to operate in compromised networks without being detected. The backdoor was designed to blend in with the rest of the code, making it difficult to spot. The attackers used a lengthy list of functions and capabilities to perform a wide range of actions, including reconnaissance, privilege escalation, and lateral movement. The attackers took many steps to maintain a low profile, such as using unique subdomains for each affected domain to evade detection.
Microsoft Security Blog, NOBELIUM infection chain
- The SolarWinds.BusinessLayerHost.exe file is a legitimate file used by the SolarWinds Orion IT management software.
- The malicious activity was not directly caused by the executable file, but rather by a compromised DLL file that was loaded into the executable.
- The attackers were able to insert the malicious code into the DLL file during an early stage of the software build, before the final stages that would include digitally signing the compiled code.
- The compromised DLL file is digitally signed, which enhances its ability to run privileged actions and avoid detection.
- The malicious code is designed to be lightweight and run in the background, so as not to interfere with the normal operation of the SolarWinds software.
- Once the malicious code is loaded, it allows the attackers to perform a wide range of actions and move laterally across the network, with the ultimate goal of achieving their objectives, which may include cyber espionage or financial gain.
If your environment has been compromised by the Nobelium attack, the first step you should take is "Containment". Regarding "Containment", if you are using Microsoft Security solutions such as Microsoft Defender for Endpoint (MDE) or Microsoft Defender for Identity (MDI), then take the following actions:
- Isolate devices from the network
- Contain devices from the network
- Reset user account password
- Disbale AD user / Azure AD user
If you are not using Microsoft Security solution, then take the following actions:
- Immediately isolate the affected device
- Reset passwords or decommission the accounts
NIST 800-61 response management phases After the containment, move to the investigation and recovery.
These are key messages from Microsoft Defenders.
- Vulnerability management & Patching
- Zero Trust implementation
- Protect your identity, e.g. Enable MFA
- Use secure devices for critical tasks
- Zero Trust implementation
- Need advanced monitoring system tools such as SIEM, XDR and EDR
- Collect data for further investigaton
- Leverage Threat Intelligence for the investigation
- Need well practice/training in incident response specifically for APT29 attacks
- Think about Incident Response plan
- Think about recovery plan
- Decoding NOBELIUM: When nation-states attack (Episode 1)
- Decoding NOBELIUM: The hunt for a global threat (Episode 2)
- Decoding NOBELIUM: Countermeasures (Episode 3)
- Decoding NOBELIUM: After-action report (Episode 4)
December 15, 2020, Ensuring customers are protected from Solorigate
December 18, 2020, Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack....
December 28, 2020, Using Microsoft 365 Defender to protect against Solorigate
January 20, 2021, Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
March 4, 2021, GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence
May 27, 2021, New sophisticated email-based attack from NOBELIUM
May 28, 2021, BNew sophisticated email-based attack from NOBELIUMreaking down NOBELIUM’s latest early-stage toolset
September 27, 2021, FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor
October 25, 2021, NOBELIUM targeting delegated administrative privileges to facilitate broader attacks
February 8, 2023, Solving one of NOBELIUM’s most novel attacks: Cyberattack Series
- How nation-state attackers like NOBELIUM are changing cybersecurity
- The hunt for NOBELIUM, the most sophisticated nation-state attack in history
- Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack
- The final report on NOBELIUM’s unprecedented nation-state attack
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.