‘SolarWinds hack group Nobelium still has huge attack potential’

Get a free Techzine subscription!

Nobelium, the hack group held responsible for the infamous SolarWinds attack, still has a large arsenal of advanced hacking capabilities at its disposal. This is the conclusion of Mandiant security specialists in a recent study. The full potential of the alleged state-sponsored collective has not yet come to light.

A year ago, Nobelium hackers succeeded in hacking into American security specialist SolarWinds. Subsequently, about 18,000 customers of this security specialist were hacked, including Microsoft and the U.S. government.

Further investigation into the background of Nobelium revealed that the group is likely receiving support from the Russian state.

Nobelium is best known for its advanced tactics, techniques and procedures (TTP). Instead of attacking their victims one by one, they prefer to pick a company that serves multiple clients. Through a hack on the latter company, the hackers look for a master key that opens the doors to numerous clients.

Not the end

New research by Mandiant underscores that Nobelium has perfected its TTP activities further. Especially for attacks on cloud providers and MSPs, possibly allowing an even greater number of companies to be compromised.

New techniques of the hackers include using login credentials obtained through info-stealer malware campaigns from other hackers. With this, Nobelium’s hackers seek initial access to victims. The hackers also use Application Impersonation privileges to ‘harvest’ sensitive email data. Additionally, the hackers leverage consumer IP proxy services and local infrastructure to communicate with affected victims.

Other techniques

Furthermore, Nobelium uses new TTP capabilities for circumventing security restrictions in various environments to determine internal routing configurations. Another tool recently used is the CEELOADER downloader.

Researchers note that the hackers managed to penetrate active directories of Microsoft Azure accounts and steal master keys used to access the directories of customers. Finally, the hackers abused multi-factor authentication using push notifications on smartphones.

Mandiant researchers say that the hackers are often interested in data important to Russia.

Nobelium is an ongoing problem

The report concludes that Nobelium attacks will not stop for the time being. According to the researchers, the hackers continue to improve their attack techniques and skills to maintain a lingering presence within victims’ networks, avoid detection and frustrate recovery operations.