Nobelium SSH

NOBELIUM (also known as APT29 or Cozy Bear) is a Russian state-sponsored threat actor who has been involved in high-profile attacks, including the SolarWinds supply chain attack. Their arsenal includes malware such as SUNBURST, TEARDROP, and FoggyWeb which exploit SSH vulnerabilities to get into systems.

Key Insights

NOBELIUM has shown off its cyber espionage capabilities, targeting government agencies, think tanks, and non-governmental organizations, mainly in Europe and North America. Their attacks are APTs that use custom malware and new attack vectors to get into and maintain long-term access to the target networks.

Attack Vectors

They use various techniques to achieve their goals including spear phishing, software vulnerability exploitation and abuse of legitimate services for C2. Their malware (FoggyWeb) is designed to exfiltrate sensitive data and deploy additional payloads so they can adapt to different environments and objectives.

Impact and Consequences

NOBELIUM activities pose a threat to national security, economic stability, and public trust. By compromising critical infrastructure and exfiltrating confidential data they undermine the integrity of the target organizations and can cause widespread disruption. Their persistent and evolving tactics require continuous monitoring and adaptation from cybersecurity professionals.

Known Variants

SUNBURST: Used during the SolarWinds attack as a backdoor to the compromised systems. TEARDROP: A custom dropper used during the SolarWinds campaign to deploy additional payloads. FoggyWeb: A passive backdoor to exfiltrate sensitive data from Active Directory Federation Services (AD FS) servers.

Mitigation Strategies

Enforce key-based authentication for SSH.
Regularly audit and remove unused SSH keys.
Monitor SSH logs for unusual activities or unauthorized access.
Keep systems and software up to date.

Targeted Industries or Sectors

NOBELIUM targets government agencies, think tanks and non-governmental organizations, mainly in Europe and North America. They focus on organizations that handle sensitive data related to geopolitical interests.

Associated Threat Actors

NOBELIUM is associated with APT29 (also known as Cozy Bear) a Russian state sponsored threat actor linked to the Russian Foreign Intelligence Service (SVR). Their attacks are stealthy, persistent and focused on intelligence gathering.