Nobelium, the Russia-backed APT group, gained notoriety at the end of 2020 for its attacks on SolarWinds’ software. Since then, it has been turning the heads of researchers with its various malicious activities. Recently, the group made headlines for its involvement in a new supply chain attack. Moreover, the attack also highlighted that the gang seemed to have shifted its focus on a new section of organizations to cause more damage.

Nobelium, an emerging threat

  • A new report furnished by Microsoft’s Threat Intelligence Center (MSTIC) reveals that the group behind the SolarWinds fiasco has targeted at least 140 organizations in a new round of supply chain attacks.
  • The affected organizations include Cloud Service Providers, Managed Service Providers, and other IT services organizations.
  • The Nobelium group’s primary targets include government organizations, think tanks, and the military. 
  • However, the latest large-scale campaign on the technology service providers highlights threat actors’ changing tactics and the use of a broad range of hacking tools and malware.
  • As a part of the attack, the attackers did not leverage exploits for vulnerabilities, but rather they used well-known techniques like password spraying and spear phishing.
  • The targeted activity has been observed against organizations based in the U.S and across Europe since May 2021. 

Worth noting

  • Microsoft noted that the Nobelium APT group had attempted 23,000 attacks between July 1st and October 19.
  • These hack attempts were made against 609 clients of Microsoft but luckily hackers had a low success rate. 

What else can’t be ignored?

  • Ever since its discovery in 2020, there has been a significant shift in malicious activities of the APT 29 group.  
  • Towards the end of September, the Nobelium was associated with a new custom malware dubbed FoggyWeb. Capable of planting malicious payloads on a victim’s machine, the backdoor allowed the APT group to remotely exfiltrate the configuration database of compromised Active Directory Federation Services (AD FS) servers.
  • During the same time, the gang was also linked with new Tomiris backdoor malware that shared similarities with the Kazuar backdoor and the GoldMax malware.
  • On June 25, Microsoft had revealed a new set of password spraying attacks carried out by the APT 29 to access Microsoft customer accounts.
  • The incident had affected three organizations, wherein attackers had deployed an information stealer to collect information from the host machines.


Researchers indicate that APT29’s spear-phishing operations are recurring and have increased in frequency and scope. It is highly likely that additional attacks may be carried out by the group using an evolving set of tactics. Therefore, organizations must go the extra mile to detect and respond to threats from malicious emails, file attachments, and other malicious artifacts.

Cyware Publisher