Nobelium gang malware evolves one year after SolarWinds

Published 12/15/21, 9:00am

It’s been a year since the world learned that a “highly sophisticated state-sponsored adversary” had gained access to well-known and frequently used IT monitoring tools to enable them to engage in one of the most sophisticated and large-scale cyber operations ever perpetrated on U.S. soil. (You can read more about what happened and the implications in this story: SolarWinds & Securing the Software Supply Chain – One Year Later Retrospective.)

Based on new industry research, it seems that Nobelium (Microsoft’s name for the threat actor behind the SolarWinds supply chain attack), has remained busy over the last twelve months, developing new custom malware known as Ceeloader and revising their tactics to adapt to changing defensive security strategies. 

Notably, researchers also observed that the type of data being stolen was almost always relevant to Russian interests. The Nobelium gang is believed to be made up of Russian threat actors highly experienced in operational security and espionage. Nobelium also goes by the names Cozy Bear, APT29, and UNC2452.

In the most recent series of attacks, the initial compromise by Nobelium often takes place one of three ways:

• By compromising the cloud service provider and using privileged access and credentials belonging to the providers to then compromise the provider’s customers
• Access obtained using stolen session tokens, which had been acquired through an info-stealing malware known as CRYPBOT.
• Leveraging a valid username and password combination and then forcing the issue of multiple multi-factor authentication (MFA) notifications to the end user’s device until the user accepts the MFA request, granting the attacker access. (Requests often involve MFA functions with phone app push notifications or phone calls requesting the users to press a key as a second factor.)

The threat actors also used a new heavily obfuscated, custom malware known as Ceeloader, written in C and designed to support the execution of shellcode payloads directly in memory. Ceeloader mixes calls to Windows’ API with large blocks of junk code to help evade detection by security software.

Next Steps

Security researchers advise that Nobelium remains an extremely well-resourced gang, operating with a high degree of attention to operational security. Organizations are encouraged to implement appropriate remediation and hardening strategies relevant to the types of attacks by the Nobelium threat actors.