The method is ingenious: send a message containing a booby-trapped attachment, from an email box stolen from its owner, generally a member of the Ministry of Foreign Affairs. This is the strategy of the hacker group Nobelium, as explained a report from the National Information Systems Security Agency (Anssi), the service responsible for cybersecurity of the French State, published Wednesday June 19. Also called phishing or phishing, this method allows hackers to pose as a trusted third party and gain access to confidential information.
Nobelium, also known as Midnight Blizzard, has been active since October 2020, but it is only the latest emanation of APT29, a group that attacks government agencies, diplomatic entities, think tanks and political parties since 2008. Despite this long experience in cyberattacks, intrusion attempts targeting French diplomats have been mostly unsuccessful, according to Anssi. In particular thanks to the “appropriate behavior” of diplomatic staff, as at the French embassy in Romania, in May 2023.
The attempts are numerous and creative. In April and May 2022, dozens of email addresses of French diplomats were hit by emails offering them a meeting with the Portuguese ambassador or announcing the closure of a Ukrainian embassy. In May 2023, several European embassies in kyiv, including that of France, received emails with the subject of a “diplomatic car for sale”. Surprising topics to arouse the curiosity of targets and make them click on the message, or even on the attachment. These phishing campaigns tend to be very convincing, perfectly imitating the form of letters received by officials at the Quai d’Orsay.
Groups linked to Russian intelligence
The Nobelium group sometimes even uses identity theft to trap other foreign diplomats. In March 2022, for example, an email is sent from the email address of a French diplomat to a European embassy in South Africa informing them of the closure of the French embassy due to a terrorist act. The goal is simple: to discreetly infiltrate the target’s computer system and collect strategic information and data, both on the internal functioning of the organization, but also on their cyber defense system, to better be able to circumvent it. during future attacks.
For Anssi, these intrusion campaigns are directly linked to the SVR, Russian foreign intelligence, very close to the Kremlin. With the FSB, domestic intelligence, and the GRU, military intelligence, the SVR is one of the pillars of the security apparatus which gives Russia its great capacity for projection and nuisance in the world. Anssi also says it has observed “a high level of activities linked to Nobelium in the recent context of geopolitical tensions, particularly in Europe, linked to Russia’s aggression against Ukraine”. To combat this resurgence, the European Union is putting in place new tools, such as a “cyber shield” or a reserve of volunteers to prevent attacks.
The Nobelium group’s resources also suggest that it is not acting alone. “The capabilities implemented to control such a large number of mailboxes, the persistence of the attacks and the efforts deployed to falsify reference documents indicate that Nobelium is almost certainly operating on behalf of a state actor,” explains the report of Anssi.
Microsoft also affected
If diplomats are preferred targets in the current geopolitical context, large private companies are also targeted by this type of attack, because they make it possible to hit other targets, by rebound: their customers. In 2020, Nobelium was behind the massive hack of software company SolarWinds, which counted several strategic branches of the US government among its clients.
But it is especially the giant Microsoft which regularly reports cyberattacks coming from this group. In November 2023, the company revealed that the mailboxes of cybersecurity teams and several executives had been targeted by Nobelium to exfiltrate information about Microsoft’s internal operations. “This includes access to certain company source code repositories,” Microsoft pointed out in a blog postreferring to the files that allow the programming of software.
“Some of these secrets have been shared between customers and Microsoft in emails, and as we discover them in our exfiltrated emails, we have reached out to those customers to help them take mitigation steps.” , guaranteed the firm. But in the meantime, this source code can be used by Nobelium to prepare new intrusion campaigns, hoping, this time, not to be detected.