Nobelium, the threat actor attributed to the massive SolarWinds supply chain compromise, has been once again linked to a series of attacks targeting multiple cloud solution providers, services, and reseller companies, as the hacking group continues to refine and retool its tactics at an alarming pace in response to public disclosures.
The intrusions, which are being tracked by Mandiant under two different activity clusters UNC3004 and UNC2652, are both associated with UNC2452, an uncategorized threat group that has since been tied to the Russian intelligence service. UNC2652, in particular, has been observed targeting diplomatic entities with phishing emails containing HTML attachments with malicious JavaScript, ultimately dropping a Cobalt Strike Beacon onto the infected devices.
In most instances, post compromise activity included theft of data relevant to Russian interests, Mandiant researchers Luke Jenkins, Sarah Hawley, Parnian Najafi, and Doug Bienstock said in a new report. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments.