{ "id": "0b898cc0-1c75-49ef-9acc-1b55b11d9cef", "created_at": "2026-04-06T00:10:03.877257Z", "updated_at": "2026-04-10T03:37:33.399438Z", "deleted_at": null, "sha1_hash": "33192abd463efa557f6ab89cec09567310eb076c", "title": "Russian hackers bypass 2FA by annoying victims with repeated push notifications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89639, "plain_text": "Russian hackers bypass 2FA by annoying victims with repeated\r\npush notifications\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-21 · Archived: 2026-04-06 00:05:49 UTC\r\nNobelium, the Russian cyber-espionage group that has orchestrated the SolarWinds 2020 supply chain attack, has\r\ncontinued to carry out new attacks throughout 2021, and according to security firm Mandiant, has been using a\r\nclever trick to bypass two-factor authentication in order to access some of its targets' accounts.\r\nThe technique, detailed in a report published on Monday, involves abusing the push notification feature of some\r\nonline accounts.\r\n2FA (two-factor authentication) or MFA (multi-factor authentication) push notifications are typically used as an\r\nalternative to receiving one-time codes via SMS or email, and they take the form of a popup that appears on a\r\nsmartphone.\r\nWhen a user logs into an account with valid credentials, a push notification is shown on their smartphone, with\r\ndetails about the type and IP address of the device trying to access the account and asking for permission to allow\r\nthe operation to go through.\r\n2FA push notifications aren't widely adopted, but they are considered safer than email or SMS as a 2FA method\r\nbecause attackers would need physical access to a victim's smartphone in order to bypass it.\r\nBut on Monday, Mandiant researchers said they'd investigated several incidents where Nobelium members gained\r\naccess to a user's valid login credentials, and they repeatedly attempted to log into the account, triggering repeated\r\n2FA push notifications on the victim's device until the target eventually accepted the request.\r\nIt is unclear if these victims accepted the push notification by accident; because they thought it might have been a\r\nbug; or by sheer annoyance.\r\nBecause Nobelium often uses IP proxies in the same geographical area as the victim to avoid triggering a target's\r\nscrutiny over login requests from strange IPs, this might explain why some victims accepted the attacker's into\r\ntheir accounts.\r\nNobelium continues to operate with advanced tradecraft\r\nAll in all, the Mandiant report paints the picture of an apex threat actor that continues to showcase \"top-notch\r\noperational security and advanced tradecraft,\" and will certainly not be defined by the SolarWinds hack as its sole\r\nsuccessful operation.\r\nAmong the group's most recent tactics and operations, Mandiant also highlighted:\r\nhttps://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/\r\nPage 1 of 3\n\nIntrusions and compromises of multiple cloud providers, from where the group pivoted to their respective\r\ndownstream customer systems.\r\nThe use of login credentials most likely acquired from the black market, from the operators of the\r\nCRYPTBOT infostealer.\r\nThe use of hacked accounts with Application Impersonation privileges [1, 2] to harvest sensitive mail data\r\nsince Q1 2021. \r\nThe extraction of virtual machines from compromised networks to determine internal routing\r\nconfigurations.\r\nThe use of a new malware strain named CEELOADER, as the initial entry point and used later to drop new\r\nmalware binaries.\r\nThe use of residential IP addresses ranges to authenticate into victim environments.\r\nThe use of Azure servers to collect data that are geo-located in the same cloud zone as the victim network\r\nto avoid triggering security alerts.\r\nThe use of hacked WordPress sites to store their malware.\r\nThe extensive use of Tor, VPNs, and VPS servers to disguise their real location when conducting\r\nreconnaissance and attacks.\r\nAttempts to circumvent or delete system logging within the victim's environment.\r\nIn April this year, the White House formally linked the Nobelium threat actor to the Russian Foreign Intelligence\r\nService, also known as the SVR, the same agency which security experts believe is behind the APT29 (Cozy\r\nBear) threat actor.\r\nhttps://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/\r\nhttps://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://therecord.media/russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications/" ], "report_names": [ "russian-hackers-bypass-2fa-by-annoying-victims-with-repeated-push-notifications" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434203, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33192abd463efa557f6ab89cec09567310eb076c.pdf", "text": "https://archive.orkl.eu/33192abd463efa557f6ab89cec09567310eb076c.txt", "img": "https://archive.orkl.eu/33192abd463efa557f6ab89cec09567310eb076c.jpg" } }