French Diplomatic Entities Targeted by Russian-Aligned Nobelium

Russian-aligned threat actor Nobelium has been continuously targeting French diplomatic entities and public organizations since 2021, according to the French cybersecurity agency ANSSI.

In a new advisory, the French agency said the threat actor was involved in at least five coordinated campaigns between 2021 and 2024. Targets included the French Ministry of Culture, the French Ministry of Foreign Affairs, the National Agency for Territorial Cohesion (ANCT), and several French embassies worldwide.

“ANSSI has observed a high level of activities linked to Nobelium against the recent backdrop of geopolitical tensions, especially in Europe, in relation to Russia’s aggression against Ukraine,” the agency wrote.

Most of these cyber-attacks followed the same techniques, tactics and procedures (TTPs): the threat actor utilized compromised legitimate email accounts belonging to diplomatic staff and conducted phishing campaigns against target institutions.

The operators attempted to deliver their own private loaders, in order to execute public red teaming tools such as Cobalt Strike or Brute Ratel C4 to access the victim’s network, ensure persistence and exfiltrate valuable intelligence.

“Nobelium’s activities against government and diplomatic entities, described as a campaign called “Diplomatic Orbiter,” represent a national security concern and endanger French and European diplomatic interests,” ANSSI added.

The agency also noted that Nobelium recently expanded its victim list by targeting IT companies such as Microsoft, Hewlett Packard Enterprise (HPE), and TeamCity.

Who is Behind Nobelium?

Nobelium (aka Midnight Blizzard) is a well-resourced and highly dedicated cyberespionage group believed to be affiliated with the Russian foreign intelligence service (SVR).

Several partners, including in the US, consider Nobelium to be associated with APT29, to which both the 2015 attack against the American Democratic National Committee and the 2020 Sunburst attack targeting SolarWinds products were attributed.

However, based on the observation of attackers’ evolving codes, tactics, techniques and procedures, ANSSI prefers to differentiate three different and full-fledged SVR-related intrusion sets:

• APT29, also known as The Dukes, reportedly active since at least 2008, used until 2019 against various governments, think tanks, diplomatic entities and political parties and notably associated with the 2015 attack against the American Democratic National Committee
• Dark Halo, publicly linked to the supply chain attack via SolarWinds and exposed in December 2020
• Nobelium, likely active since at least October 2020

Nobelium has targeted public and private organizations across Europe, Africa, North America and Asia.