Russia-linked APT Nobelium targets French diplomatic entities

French information security agency ANSSI reported that Russia-linked threat actor Nobelium is behind a series of cyber attacks that targeted French diplomatic entities.

The French information security agency ANSSI reported that Russia-linked APT Nobelium targeted French diplomatic entities. Despite the French agency linked the attacks to the cyberespionage group Nobelium (aka APT29, SVR group, Cozy Bear, Midnight Blizzard, BlueBravo, and The Dukes), ANSSI differentiates these groups into separate threat clusters, including a group named Dark Halo, which was responsible for the 2020 SolarWinds attack.

October 2020, used against high-value targets, most likely for espionage purposes. Western diplomatic entities, such as embassies and Ministries of Foreign Affairs, account for the majority of known victims of Nobelium. However, several IT companies have also reported that they have been targeted by Nobelium’s operators in late 2023 and 2024.

The report published by ANSSI is based upon elements collected by the French agency, evidence shared by its national partners (known as C4 members), and publicly available reports. The document warns of phishing campaigns conducted by Nobelium against French public and diplomatic entities aiming at gathering strategic intelligence.

“Nobelium is characterized by the use of specific codes, tactics, technics and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies and consulates.” reads the report published by ANSSI. “These activities are also publicly described as a campaign called “Diplomatic Orbiter”.”

Attackers forge lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike or Brute Ratel C4. The tools allows attackers to access the victim’s network, perform lateral movements, drop additional payloads, maintain persistence, and exfiltrate valuable intelligence.

The agency confirmed that several IT companies have also reported being targeted by Nobelium in late 2023 and 2024.

ANSSI warns of Nobelium attacks

“French public organisations have been targeted several times by phishing emails sent from foreign institutions previously compromised by Nobelium’s operators.” continues the report. “From February to May 2021, Nobelium operators conducted several phishing campaigns3 exploiting compromised email accounts belonging to the French Ministry of Culture and the National Agency for Territorial Cohesion (ANCT), sending an attachment called “Strategic Review”.”

In March 2022, a European embassy in South Africa received a phishing email that impersonated a French embassy, announcing the closure after a terrorist attack. The attackers sent the email from a compromised account of a French diplomat. In April and May 2022, Nobelium phishing messages reached dozens of email addresses from the French Ministry of Foreign Affair. Threat actors used themes like the closure of a Ukrainian embassy or a meeting with a Portuguese ambassador.

In May 2023, Nobelium targeted several European embassies in Kyiv, including the French embassy, with a phishing campaign involving an email about a “Diplomatic car for sale.” The ANSSI also reported a failed attempt to compromise the French Embassy in Romania.

“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia’s aggression against Ukraine. Nobelium’s activities against government and diplomatic entities represent a national security concern and endanger French and European diplomatic interests. The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthens their offensive capabilities and the threat they represent.” concludes the report that also provides indicators of compromise. “Nobelium’s techniques, tactics, and procedures remain mainly constant over time.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ANSSI)