Surge in Nobelium-linked supply chain attacks

An ongoing Russian state cyber campaign with links to the advanced persistent threat (APT) group that turned over SolarWinds nearly a year ago is targeting cloud and managed services providers and, with “top-notch” tradecraft and operational security, presents a live and dangerous threat.

That is according to threat researchers at Mandiant, who are tracking this activity and have identified two clusters – it designates these as UNC3004 and UNC2652 – both of which appear to be associated with SolarWinds’ tormentors, UNC2452, also known as Nobelium, although there is insufficient evidence to confirm this is the case.

“In most instances, post-compromise activity included theft of data relevant to Russian interests,” said the researchers in a newly published disclosure notice.

“In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection and confuse attribution efforts.”

Mandiant’s researchers, Luke Jenkins, Sarah Hawley, Parmian Najafi and Doug Bienstock, found that the actors are compromising their target networks via compromised third-party IT services providers, using their privileged access and credentials to move downstream, in a classic example of a supply chain attack.

They have also identified at least one instance in which the actors compromised a local VPN account, using it to perform recon and access further resources inside the victim cloud service provider’s (CSP’s) environment, ultimately compromising internal domain accounts.

The team also identified a campaign in which the actors accessed their target’s Microsoft 365 environment with a stolen session token – further analysis found that some of the target’s workstations were already infected with the Cryptbot infostealer, and Mandiant assesses that the attackers probably obtained the session token from Cryptbot’s operators.

After accessing service providers, the group deployed a number of tactics and techniques as they moved downstream to their intended targets, which are more fully detailed in Mandiant’s blog.

Of particular note, however, are some of the ways in which they attempted to evade protective measures. These included the use of stolen session cookies to identify CSP virtual machines (VMs) that were allowed to communicate with downstream customers, bypassing CSP and target security measures, and the deployment of a novel downloader, coded in C and dubbed Ceeloader, which supports shellcode payloads that are executed in memory on the target device, and is well obfuscated.

The actors have also taken to localising their infrastructure to appear as if they appear in close geographical proximity to their victim environments – ie not in Russia. There are a number of ways to do this, including using residential IP address ranges obtained via residential and mobile IP address proxy providers to authenticate to victim networks and appear as if they are logging on over a connection from a legitimate internet service provider (ISP) in the same country.

In other instances, the threat actors provisioned a system within Azure that was in close proximity to a legitimate CSP Azure-hosted system used to access the customer environment, establishing geo-proximity and resulting in the recorded source IP address for the activity originating from legitimate ranges.

Mandiant’s team also found the actors are paying particular attention to their own operational security, for example by using multiple compromised accounts and separating them out by function – recon, lateral movement, data theft, etc – to reduce the likelihood that defenders might be alerted by suspicious activity. They have also been observed circumventing or deleting system logging capabilities.

“This intrusion activity reflects a well-resourced threat actor set operating with a high level of concern for operational security,” said the team.

“The abuse of a third party, in this case a CSP, can facilitate access to a wide scope of potential victims through a single compromise. Though Mandiant cannot currently attribute this activity with higher confidence, the operational security associated with this intrusion and exploitation of a third party is consistent with the tactics employed by the actors behind the SolarWinds compromise and highlights the effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations.”