French information security agency ANSSI reported that Russia-linked threat actor Nobelium<\/a><\/a> is behind a series of cyber attacks that targeted French diplomatic entities. <\/h2>\n\n\n\n
The French information security agency ANSSI reported that Russia-linked APT <\/a>Nobelium<\/a> targeted French diplomatic entities. Despite the French agency linked the attacks to the cyberespionage group Nobelium<\/a> (aka\u00a0APT29<\/a>,\u00a0SVR group<\/a>,\u00a0Cozy Bear<\/a>, Midnight Blizzard<\/a>,\u00a0BlueBravo<\/a>,\u00a0and\u00a0The Dukes<\/a>), ANSSI differentiates these groups into separate threat clusters, including a group named Dark Halo, which was responsible for the 2020 SolarWinds<\/a> attack.<\/p>\n\n\n\n
“Nobelium is characterized by the use of specific codes, tactics, technics and procedures. Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies and consulates.” reads the report<\/strong><\/a> published by ANSSI. “These activities are also publicly described as a campaign called \u201cDiplomatic Orbiter<\/a>\u201d.” <\/p>\n\n\n\n
Attackers forge lure documents to target diplomatic staff, attempting to deliver their custom loaders to drop public post-exploitation tools such as Cobalt Strike<\/a> or Brute Ratel C4. The tools allows attackers to access the victim’s network, perform lateral movements, drop additional payloads, maintain persistence, and exfiltrate valuable intelligence. <\/p>\n\n\n\n
![\"ANSSI](\"https:\/\/i0.wp.com\/securityaffairs.com\/wp-content\/uploads\/2024\/06\/image-18.png?ssl=1\")
<\/a><\/figure>\n\n\n\n“French public organisations have been targeted several times by phishing emails sent from foreign institutions previously compromised by Nobelium\u2019s operators.” continues the report. “From February to May 2021, Nobelium operators conducted several phishing campaigns3 exploiting compromised email accounts belonging to the French Ministry of Culture and the National Agency for Territorial Cohesion (ANCT), sending an attachment called \u201cStrategic Review\u201d.”<\/em><\/p>\n\n\n\n
In March 2022, a European embassy in South Africa received a phishing email that impersonated a French embassy, announcing the closure after a terrorist attack. The attackers sent the email from a compromised account of a French diplomat. In April and May 2022, Nobelium phishing messages reached dozens of email addresses from the French Ministry of Foreign Affair. Threat actors used themes like the closure of a Ukrainian embassy or a meeting with a Portuguese ambassador.<\/p>\n\n\n\n
In May 2023, Nobelium targeted several European embassies in Kyiv, including the French embassy, with a phishing campaign involving an email about a “Diplomatic car for sale.” The ANSSI also reported a failed attempt to compromise the French Embassy in Romania. <\/p>\n\n\n\n
“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia\u2019s aggression against Ukraine. Nobelium\u2019s activities against government and diplomatic entities represent a national security concern and endanger French and European diplomatic interests. The targeting of IT and cybersecurity entities for espionage purposes by Nobelium operators potentially strengthens their offensive capabilities and the threat they represent.” concludes the report that also provides indicators of compromise<\/a>. “Nobelium\u2019s techniques, tactics, and procedures remain mainly constant over time.” <\/em>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, ANSSI)<\/strong>