Pen testing
C2
NOBELIUM (also known as APT29 or Cozy Bear) is a Russian state-sponsored threat actor who has been involved in high-profile attacks, including the SolarWinds supply chain attack. Their arsenal includes malware such as SUNBURST, TEARDROP, and FoggyWeb which exploit SSH vulnerabilities to get into systems.
NOBELIUM has shown off its cyber espionage capabilities, targeting government agencies, think tanks, and non-governmental organizations, mainly in Europe and North America. Their attacks are APTs that use custom malware and new attack vectors to get into and maintain long-term access to the target networks.
Attack Vectors
They use various techniques to achieve their goals including spear phishing, software vulnerability exploitation and abuse of legitimate services for C2. Their malware (FoggyWeb) is designed to exfiltrate sensitive data and deploy additional payloads so they can adapt to different environments and objectives.
Impact and Consequences
NOBELIUM activities pose a threat to national security, economic stability, and public trust. By compromising critical infrastructure and exfiltrating confidential data they undermine the integrity of the target organizations and can cause widespread disruption. Their persistent and evolving tactics require continuous monitoring and adaptation from cybersecurity professionals.
SUNBURST: Used during the SolarWinds attack as a backdoor to the compromised systems. TEARDROP: A custom dropper used during the SolarWinds campaign to deploy additional payloads. FoggyWeb: A passive backdoor to exfiltrate sensitive data from Active Directory Federation Services (AD FS) servers.
Enforce key-based authentication for SSH.
Regularly audit and remove unused SSH keys.
Monitor SSH logs for unusual activities or unauthorized access.
Keep systems and software up to date.
NOBELIUM targets government agencies, think tanks and non-governmental organizations, mainly in Europe and North America. They focus on organizations that handle sensitive data related to geopolitical interests.
NOBELIUM is associated with APT29 (also known as Cozy Bear) a Russian state sponsored threat actor linked to the Russian Foreign Intelligence Service (SVR). Their attacks are stealthy, persistent and focused on intelligence gathering.
