NOBELIUM Supply Chain Attacks

THE THREAT

Researchers from Microsoft have released both a high-level report and a technical guidance report relating to ongoing supply chain attacks attributed to the NOBELIUM threat actor group (aka. APT29, The Dukes, CozyBear). Law Enforcement and governments have attributed NOBELIUM to Russia's Foreign Intelligence Service (SVR).

Since May 2021, NOBELIUM has attempted to compromise Managed Service Providers (MSPs), Cloud Service Providers (CPSs), and other IT services, in order to breach their customer bases. Attacks have been observed against more than 140 service providers; at least 14 unnamed organizations have been confirmed as compromised.

Organizations are recommended to review the recommendations in this advisory and ensure that proactive defenses are in place.

eSentire is a customer of its own products and services and is already following the recommended mitigation strategies as a part of our ongoing security best practices. As a precaution, eSentire is accelerating our access review cycle, which includes delegated administrative access and will continue to monitor user activity.

What we’re doing about it

• eSentire has deployed both Network and Endpoint rules for known NOBELIUM related malware
• eSentire MDR for Log detects unusual logins, password spraying, and multiple cloud lateral movement and persistence techniques known to be used by NOBELIUM
• Additional detections based on Microsoft reporting are under review

What you should do about it

• Enforce the use of Multi-Factor Authentication (MFA) for all externally facing services
• Ensure the Principle of Least Privilege is adhered to for all service providers
• Remove delegated administrative privileges when not in active use
• Clients with eSentire MDR for Log should ensure logging is in place for Azure AD logs (sign-ins specifically), Azure Activity logs, and Office365
• See the full Microsoft report for additional recommendations and security best practices

Additional information

Targeted organizations have been identified in the United States and multiple European countries. NOBELIUM is abusing trusted relationships in order to compromise governments, think tanks, and other organizations with information valuable to the Russian state. Initial access to services providers is gained via a variety of methods including spear-phishing emails, password spraying, token theft and API abuse. Microsoft has not shared information on organizations confirmed to be compromised by NOBELIUM. According to the recent reports all impacted organizations have been privately notified by Microsoft.

Indicators of Compromise (IoCs) relating to this activity are not publicly available at this time. NOBELIUM is a sophisticated APT that shifts indicators based on campaigns; as such, detecting techniques employed by the group is critical.

Techniques employed by NOBELIUM in the recent supply chain attacks include:

• Leveraging “anonymous” infrastructure such as TOR
• Leveraging scripted capabilities to enumerate Azure AD
• Authenticating to accounts from unusual locations
• Modifying Azure AD for persistent long-term access
• Use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO)
• The specific targeting of privileged users; notably Global Administrators

References:

[1] https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/
[2] https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
[3] https://us-cert.cisa.gov/bsi/articles/knowledge/principles/least-privilege