The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware.
Nobelium is Microsoft’s name for the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear.
While Nobelium is an advanced hacking group using custom malware and tools, they still leave traces of activity that researchers can use to analyze their attacks.
In a new report from Mandiant, researchers used this activity to uncover tactics, techniques, and procedures (TTP) used by the hacking group, as well as a new custom downloader called “Ceeloader.”
Furthermore, the researchers break Nobelium into two distinct clusters of activity attributed to UNC3004 and UNC2652, which could mean that Nobelium is two cooperating hacking groups.