{ "id": "f6001746-45dd-4f48-a628-db75aec82606", "created_at": "2026-04-06T01:29:49.009171Z", "updated_at": "2026-04-10T13:12:25.24942Z", "deleted_at": null, "sha1_hash": "1e5d4ed45f8cadb3c617a61019752904bad6c526", "title": "New activity from Russian actor Nobelium", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40132, "plain_text": "New activity from Russian actor Nobelium\r\nBy Tom Burt\r\nPublished: 2021-10-25 · Archived: 2026-04-06 00:32:17 UTC\r\nToday, we’re sharing the latest activity we’ve observed from the Russian nation-state actor Nobelium. This is the\r\nsame actor behind the cyberattacks targeting SolarWinds customers in 2020 and which the U.S. government and\r\nothers have identified as being part of Russia’s foreign intelligence service known as the SVR.\r\nNobelium has been attempting to replicate the approach it has used in past attacks by targeting organizations\r\nintegral to the global IT supply chain. This time, it is attacking a different part of the supply chain: resellers and\r\nother technology service providers that customize, deploy and manage cloud services and other technologies on\r\nbehalf of their customers. We believe Nobelium ultimately hopes to piggyback on any direct access that resellers\r\nmay have to their customers’ IT systems and more easily impersonate an organization’s trusted technology partner\r\nto gain access to their downstream customers. We began observing this latest campaign in May 2021 and have\r\nbeen notifying impacted partners and customers while also developing new technical assistance and guidance for\r\nthe reseller community. Since May, we have notified more than 140 resellers and technology service providers that\r\nhave been targeted by Nobelium. We continue to investigate, but to date we believe as many as 14 of these\r\nresellers and service providers have been compromised. Fortunately, we have discovered this campaign during its\r\nearly stages, and we are sharing these developments to help cloud service resellers, technology providers, and\r\ntheir customers take timely steps to help ensure Nobelium is not more successful.\r\nThese attacks have been a part of a larger wave of Nobelium activities this summer. In fact, between July 1 and\r\nOctober 19 this year, we informed 609 customers that they had been attacked 22,868 times by Nobelium, with a\r\nsuccess rate in the low single digits. By comparison, prior to July 1, 2021, we had notified customers about attacks\r\nfrom all nation-state actors 20,500 times over the past three years.\r\nThis recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of\r\npoints in the technology supply chain and establish a mechanism for surveilling – now or in the future – targets of\r\ninterest to the Russian government. While we are sharing details here about the most recent activity by Nobelium,\r\nthe Microsoft Digital Defense Report, published earlier this month, highlights continued attacks from other\r\nnation-state actors and cybercriminals. In line with these attacks, we are notifying our customers when they are\r\ntargeted or compromised by those actors.\r\nThe attacks we’ve observed in the recent campaign against resellers and service providers have not attempted to\r\nexploit any flaw or vulnerability in software but rather used well-known techniques, like password spray and\r\nphishing, to steal legitimate credentials and gain privileged access. We have learned enough about these new\r\nattacks, which began as early as May this year, that we can now provide actionable information which can be used\r\nto defend against this new approach.\r\nWe’ve also been coordinating with others in the security community to improve our knowledge of, and protections\r\nagainst, Nobelium’s activity, and we’ve been working closely with government agencies in the U.S. and Europe.\r\nhttps://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/\r\nPage 1 of 3\n\nWhile we are clear-eyed that nation-states, including Russia, will not stop attacks like these overnight, we believe\r\nsteps like the cybersecurity executive order in the U.S., and the greater coordination and information sharing\r\nwe’ve seen between industry and government in the past two years, have put us all in a much better position to\r\ndefend against them.\r\nWe have long maintained and evolved the security requirements and policies we enforce with service providers\r\nthat sell or support Microsoft technology. For example, in September 2020, we updated contracts with our\r\nresellers to expand Microsoft’s abilities and rights to address reseller security incidents and to require that resellers\r\nimplement specific security protections for their environments, such as restricting Partner Portal access and\r\nrequiring that resellers enable multi-factor authentication (MFA) in accessing our cloud portals and underlying\r\nservices, and we will take the necessary and appropriate steps to enforce these security commitments. We continue\r\nto assess and identify new opportunities to drive greater security throughout the partner ecosystem, recognizing\r\nthe need for continuous improvement. As a result of what we have learned over the past several months, we are\r\nworking to implement improvements that will help better secure and protect the ecosystem, especially for the\r\ntechnology partners in our supply chain:\r\nAs noted above, in September 2020, we rolled out MFA to access Partner Center and to use delegated\r\nadministrative privilege (DAP) to manage a customer environment\r\nOn October 15, we launched a program to provide two years of an Azure Active Directory Premium plan\r\nfor free that provides extended access to additional premium features to strengthen security controls\r\nMicrosoft threat protection and security operations tools such as Microsoft Cloud App Security (MCAS),\r\nM365 Defender, Azure Defender and Azure Sentinel have added detections to help organizations identify\r\nand respond to these attacks\r\nWe are currently piloting new and more granular features for organizations that want to provide privileged\r\naccess to resellers\r\nWe are piloting improved monitoring to empower partners and customers to manage and audit their\r\ndelegated privileged accounts and remove unnecessary authority\r\nWe are auditing unused privileged accounts and working with partners to assess and remove unnecessary\r\nprivilege and access\r\nToday, we are also releasing technical guidance that can help organizations protect themselves against the latest\r\nNobelium activity we’ve observed as the actor has honed its techniques as well as guidance for partners.\r\nThese are just the immediate steps that we’ve taken and, in the coming months, we will be engaging closely with\r\nall of our technology partners to further improve security. We will make it easier for service providers of all sizes\r\nto access our most advanced services for managing secure log-in, identity and access management solutions for\r\nfree or at a low cost.\r\nAs we said in May, progress must continue. At Microsoft, we will continue our efforts across all these issues and\r\nwill continue to work across the private sector, with the U.S. administration and with all other interested\r\ngovernments to make this progress.\r\nTags: cybersecurity, Microsoft Digital Defense Report, Nobelium\r\nhttps://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/\r\nPage 2 of 3\n\nSource: https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/\r\nhttps://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/" ], "report_names": [ "new-activity-from-russian-actor-nobelium" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775438989, "ts_updated_at": 1775826745, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e5d4ed45f8cadb3c617a61019752904bad6c526.pdf", "text": "https://archive.orkl.eu/1e5d4ed45f8cadb3c617a61019752904bad6c526.txt", "img": "https://archive.orkl.eu/1e5d4ed45f8cadb3c617a61019752904bad6c526.jpg" } }