Nobelium Continues to Strike High-Profile Targets

The French National Cybersecurity Agency (ANSSI) has issued a warning about the continued activity of the Nobelium intrusion set, also known as Midnight Blizzard. This group, believed to be linked to the Russian foreign intelligence service (SVR), has been actively targeting high-value entities, primarily for espionage purposes.

Nobelium has been particularly active in targeting diplomatic entities, including embassies and Ministries of Foreign Affairs across Europe, Africa, North America, and Asia. The group is known for its sophisticated phishing campaigns, often using compromised legitimate email accounts to trick victims into opening malicious attachments or clicking on malicious links.

Nobelium has been linked to several notorious cyberattacks:

• SolarWinds Attack: Publicly associated with the supply chain attack exposed in December 2020.
• French Diplomatic Entities: Between February and May 2021, Nobelium targeted the French Ministry of Culture and the National Agency for Territorial Cohesion (ANCT) with phishing emails. Despite the attackers’ efforts, they were unable to move laterally within these systems.
• Microsoft and HPE: In late 2023 and early 2024, Microsoft and Hewlett Packard Enterprise (HPE) reported breaches attributed to Nobelium, with attackers exfiltrating sensitive emails and gaining unauthorized access to cloud-based email environments.

In 2023 and 2024, Nobelium continued its aggressive campaigns:

• European Embassies in Kyiv: Nobelium targeted several embassies with phishing emails themed around a “Diplomatic car for sale.”
• TeamCity Exploitation: Exploiting CVE-2023-42793, Nobelium conducted opportunistic attacks against servers hosting JetBrains TeamCity software, potentially paving the way for supply chain attacks.

ANSSI is urging organizations to be vigilant against the threat posed by Nobelium. The agency recommends that organizations implement strong security measures, such as multi-factor authentication and regular security awareness training for employees. It is also important to keep software up to date and to patch vulnerabilities promptly.