|APT29|December : supply - chain attack via Solar W inds|February -M ay: t argeting of the French MFA|May: targeting o f French in Ukraine and Romania|embassies|Col6|
|---|---|---|---|---|---|
|||||||
|Dark Halo Nobelium 2015: attack against the American March- May: t argeting of December : attack Democratic National C ommittee several French e mbassies against Microsoft|||||January : against Packard|


# MALICIOUS ACTIVITIES LINKED TO THE NOBELIUM INTRUSION SET

### 2024-06-19

## The Nobelium intrusion set

ANSSI considers that the Nobelium intrusion set, also called Midnight Blizzard [1], has been active since at least Octo-
ber 2020. It is actively used against high-value targets, most likely for espionage purposes. Phishing campaigns
conducted by Nobelium operators have targeted countries in Europe, Africa, North America and Asia. Activities
linked to this intrusion set have been publicly linked to the Russian foreign intelligence service SVR.

Several observers and ANSSI’s partners describe activities tied to this intrusion set under the name APT29. How-
ever, based on the observation of attackers’ evolving codes, tactics, technics and procedures, ANSSI prefers to dif-
ferentiate three different and full-fledged SVR-related intrusion sets: APT29, also known as The Dukes, reportedly
active since at least 2008, used until 2019 against various governments, think-tanks, diplomatic entities and political
parties and notably associated with the 2015 attack against the American Democratic National Committee [2]; Dark
_Halo, publicly linked to the supply chain attack via SolarWinds and exposed in December 2020; and Nobelium, likely_
active since at least October 2020.

_Nobelium is characterized by the use of specific codes, tactics, technics and procedures. Most of Nobelium cam-_
paigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff,
**and conduct phishing campaigns against diplomatic institutions, embassies and consulates. These activities**
are also publicly described as a campaign called “Diplomatic Orbiter”. The lure documents used in these attacks are
typically forged to target diplomatic staff. The operators attempt to deliver their own private loaders, in order to
execute public tools such as Cobalt Strike or Brute Ratel C4, to access the victim’s network, ensure persistence and
exfiltrate valuable intelligence. However, several IT companies have also reported that they have been targeted by
_Nobelium’s operators in late 2023 and 2024._

December: supply-chain attack February-May: targeting of the May: targeting of French embassies
_via_ Solar Winds French MFA in Ukraine and Romania

APT29
Dark Halo Nobelium

2015: attack against the American March-May: targeting of December: attack January: attack
Democratic National Committee several French embassies against Microsoft against Hewlett

Packard Enterprise

Examples of attacks linked with APT29, Dark Halo and Nobelium

## Malicious activities against French diplomatic entities

Western diplomatic entities, such as embassies and Ministries of Foreign Affairs, account for the majority of known
_Nobelium’s victims. French public organisations have been targeted several times by phishing emails sent_
**from foreign institutions previously compromised by Nobelium’s operators.**

From February to May 2021, Nobelium operators conducted several phishing campaigns [3] exploiting compromised
email accounts belonging to the French Ministry of Culture and the National Agency for Territorial Cohesion
(ANCT), sending an attachment called “Strategic Review”. The investigations led by ANSSI concluded that the

[1. https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-threat-actor-naming?view=o365-](https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-threat-actor-naming?view=o365-worldwide)
```
      worldwide

```
[2. https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/](https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/)
[3. https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/](https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/)

Page 1 of 3


-----

Malicious activities linked to the Nobelium intrusion set

attackers did not manage to move laterally within the Ministry of Culture and the ANCT information systems.
These compromised accounts have been used to target a variety of entities, including the French Ministry of For-
eign Affairs. Nobelium operators attempted to install the Cobalt Strike tool on the French Ministry of Foreign
Affairs information system, which could have enabled remote control on the compromised machines. However,
the attack against the French Ministry of Foreign Affairs was unsuccessful.

In March 2022, a European embassy in South Africa received a malicious email impersonating a French embassy,
which announced its closing due to an unspecified terrorist act. The phishing emails were sent from a compromised
account belonging to a French diplomat.

In April and May 2022, dozens of email addresses belonging to the French Ministry of Foreign Affairs were targeted
by phishing emails linked to Nobelium. In order to draw the attention of their targets, these phishing emails were
themed on the closing of a Ukrainian embassy or an appointment with a Portuguese ambassador.

In May 2023, several European embassies in Kyiv were targeted by a phishing campaign conducted by Nobelium’s
operators. The French embassy in Kyiv was one of the targets of this campaign, which was conducted through an
email that was themed about a “Diplomatic car for sale”.

In May 2023, an attempt by Nobelium operators to compromise the French Embassy in Romania was detected but
was also unsuccessful thanks to the appropriate behavior of the diplomatic staff.

**ANSSI and C4 members consider that the imputation of these activities against French diplomatic entities**
**to Nobelium is consistent. The tools and infrastructures employed by the attackers show similarities with other**
_Nobelium-linked campaigns. The victims of these activities aiming to exfiltrate strategic intelligence are consistent_
with the usual targeting associated with Nobelium by other observers. The capabilities implemented to compro-
mise such a vast number of email accounts, the persistence of the attacks, the efforts put into the forgery of lure
documents indicate that Nobelium is almost certainly operated on behalf of a state actor.

## Malicious activities against international IT entities

Several companies in the IT industry have disclosed their targeting and compromise by Nobelium’s operators. Ac-
cording to Microsoft, part of the activities linked to Nobelium (alias Midnight Blizzard) has targeted technology
companies worldwide, especially in North America and Western Europe.

Microsoft reported a security incident at the end of November 2023 attributed to Nobelium [4]. The attackers exfil-
trated emails from the cybersecurity and legal teams as well as executives. The cybersecurity teams at Microsoft
regularly publish intelligence concerning Nobelium’s activities: the attackers may have tried to find out the infor-
mation Microsoft held on their operations. These insights could give the attackers opportunities to improve their
operational security, to avoid the detection of their attacks and to hinder the analysts’ monitoring capabilities.

In January 2024, the American company Hewlett Packard Enterprise (HPE) has reported that a suspected nation-
state actor, believed to be the threat actor Midnight Blizzard obtained a non-authorized access to the company’s
cloud-based email environment [5].

A report [6] published in December 2023 by Polish, British and American authorities stated that Nobelium operators
had exploited CVE-2023-42793 since September 2023 on a large scale against servers hosting the JetBrains software
developed by TeamCity. It seems that this campaign was opportunistic and not driven by a consistent targeting
pattern: at least a dozen companies in various countries and sectors have been identified as compromised. Accord-
ing to CERT.PL, the compromise of TeamCity servers could have made it possible to carry out supply-chain attacks,
however such attempts have not been observed. Nevertheless, this campaign shows that Nobelium’s operators are
potentially looking for opportunities to carry out supply-chain attacks.

[4. https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-](https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/)
```
      blizzard/

```
[5. https://www.sec.gov/Archives/edgar/data/1645590/000164559024000009/hpe-20240119.htm](https://www.sec.gov/Archives/edgar/data/1645590/000164559024000009/hpe-20240119.htm)
[6. https://cert.pl/en/posts/2023/12/apt29-teamcity/](https://cert.pl/en/posts/2023/12/apt29-teamcity/)

Page 2 of 3


-----

Malicious activities linked to the Nobelium intrusion set
## Nobelium remains an active threat to French and international interests

ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions,
especially in Europe, in relation to Russia’s aggression against Ukraine. Nobelium’s activities against government
**and diplomatic entities represent a national security concern and endanger French and European diplomatic**
**interests.**

The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthen
**their offensive capabilities and the threat they represent. The intelligence gathered during recent attacks against**
IT sector entities could also facilitate Nobelium’s future operations.

_Nobelium’s technics, tactics and procedures remain mainly constant over time. Technical elements are available in_
ANSSI’s publication dated of the 6[th] of December 2021 “Phishing campaigns by the Nobelium intrusion set” [7].

Moreover, ANSSI and its partners observed several indicators of compromise (IOCs) linked to Nobelium’s latest
campaigns. They are available on Zscaler [8] and Mandiant [9] websites.

[7. https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/](https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-011/)
[8. https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader](https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader)
[9. https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties](https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties)

Page 3 of 3


-----