Analytics Story: NOBELIUM Group
Description
NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.
Why it matters
This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Azure Active Directory |  Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add app role assignment to service principal | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add member to role | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add owner to application | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add service principal | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Consent to application | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Sign-in activity | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Update application | Azure |
azure:monitor:aad |
Azure AD |
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| O365 | N/A | o365:management:activity |
o365 |
| O365 Add owner to application. | N/A | o365:management:activity |
o365 |
| O365 Add service principal. | N/A | o365:management:activity |
o365 |
| O365 Consent to application. | N/A | o365:management:activity |
o365 |
| O365 MailItemsAccessed | N/A | o365:management:activity |
o365 |
| O365 Update application. | N/A | o365:management:activity |
o365 |
| O365 UserLoginFailed | N/A | o365:management:activity |
o365 |
| Palo Alto Network Traffic |  Network |
pan:traffic |
screenconnect_palo_traffic |
| Sysmon EventID 1 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 7 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log System 7036 | Windows |
xmlwineventlog |
XmlWinEventLog:System |
References
- https://attack.mitre.org/groups/G0016/
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
Source: GitHub | Version: 3