{ "id": "eb44194b-85bc-44bc-8c9f-24150d788924", "created_at": "2026-04-06T01:30:10.062499Z", "updated_at": "2026-04-10T03:37:33.328404Z", "deleted_at": null, "sha1_hash": "480e34ae4bc03772fa5e7eb0ff18b3801cc9126e", "title": "France warns of Nobelium cyberspies attacking French orgs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3398614, "plain_text": "France warns of Nobelium cyberspies attacking French orgs\r\nBy Sergiu Gatlan\r\nPublished: 2021-12-06 · Archived: 2026-04-06 00:29:03 UTC\r\nThe French national cyber-security agency ANSSI said today that the Russian-backed Nobelium hacking group behind last\r\nyear's SolarWinds hack has been targeting French organizations since February 2021.\r\nWhile ANSSI (short for Agence Nationale de la Sécurité des Systèmes d'Information) has not determined how Nobelium\r\ncompromised email accounts belonging to French orgs, it added that the hackers used them to deliver malicious emails\r\ntargeting foreign institutions.\r\nIn turn, French public orgs were also the targets of spoofed emails sent from servers belonging to foreign entities, believed\r\nto be compromised by the same threat actor.\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe infrastructure used by Nobelium in the attacks against French entities was mainly set up using virtual private servers\r\n(VPS) from different hosting companies (favoring servers from OVH and located close to the targeted countries).\r\n\"Overlaps have been identified in the tactics, techniques \u0026 procedures (TTP) between the phishing campaigns monitored by\r\nANSSI and the SOLARWINDS supply chain attack in 2020,\" ANSSI explained in a report published today.\r\nTo defend against this hacking group's attacks, ANSSI recommends restricting the execution of email attachments to block\r\nmalicious files delivered in phishing campaigns.\r\nThe French cyber-security agency also advises at-risk organizations to tighten Active Directory security (and AD servers in\r\nparticular) using its Active Directory security hardening guide.\r\nNobelium and its high profile targets\r\nNobelium, the hacking group behind last year's SolarWinds supply-chain attack, which led to the breach of multiple US\r\nfederal agencies, is the hacking division of the Russian Foreign Intelligence Service (SVR), also tracked as APT29, The\r\nDukes, or Cozy Bear.\r\nThe US government formally accused the SVR division in April of orchestrating the \"broad-scope cyber espionage\r\ncampaign\" that hit SolarWinds.\r\nCybersecurity firm Volexity also linked the attacks to the same threat actor based on tactics observed in incidents starting\r\nwith 2018.\r\nIn May, the Microsoft Threat Intelligence Center (MSTIC) shared info on a Nobelium phishing campaign targeting\r\ngovernment agencies from 24 countries worldwide.\r\nAs further reported by Microsoft in recent months, Nobelium is still targeting the global IT supply chain, having attacked\r\n140 managed service providers (MSPs) and cloud service providers and breached at least 14 since May 2021.\r\nNobelium also targeted Active Directory Federation Services (AD FS) servers, attempting to compromise governments,\r\nthink tanks, and private companies from the US and Europe using a new passive and highly targeted backdoor dubbed\r\nFoggyWeb.\r\nMicrosoft revealed in October that Nobelium was the most active Russian hacking group between July 2020 and June 2021,\r\ncoordinating the attacks behind 92% of alerts Microsoft sent to customers regarding Russia-based threat activity.\r\nEarlier today, Mandiant linked the hacking group to attempts to breach government and enterprise networks around the\r\nworld by targeting their MSPs with a new backdoor dubbed Ceeloader designed to deploy further malware and harvest\r\nsensitive info of political interest to Russia.\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/\r\nhttps://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/france-warns-of-nobelium-cyberspies-attacking-french-orgs/" ], "report_names": [ "france-warns-of-nobelium-cyberspies-attacking-french-orgs" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439010, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/480e34ae4bc03772fa5e7eb0ff18b3801cc9126e.pdf", "text": "https://archive.orkl.eu/480e34ae4bc03772fa5e7eb0ff18b3801cc9126e.txt", "img": "https://archive.orkl.eu/480e34ae4bc03772fa5e7eb0ff18b3801cc9126e.jpg" } }