Analytics Story: NOBELIUM Group
Description
NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.
Why it matters
This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4688 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Azure Active Directory Update application |  Azure |
azure:monitor:aad |
Azure AD |
| O365 | Other | o365:management:activity |
o365 |
| O365 Update application. | Other | o365:management:activity |
o365 |
| Azure Active Directory Add member to role | Azure |
azure:monitor:aad |
Azure AD |
| O365 Add service principal. | Other | o365:management:activity |
o365 |
| O365 MailItemsAccessed | Other | o365:management:activity |
o365 |
| Azure Active Directory Add owner to application | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add service principal | Azure |
azure:monitor:aad |
Azure AD |
| Palo Alto Network Traffic |  Network |
pan:traffic |
not_applicable |
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| O365 UserLoginFailed | Other | o365:management:activity |
o365 |
| Cisco Secure Access Firewall | Other | cisco:cloud_security:firewall |
cisco_secure_access:firewall |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 7 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Azure Active Directory | Azure |
azure:monitor:aad |
Azure AD |
| O365 Consent to application. | Other | o365:management:activity |
o365 |
| Azure Active Directory Sign-in activity | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add app role assignment to service principal | Azure |
azure:monitor:aad |
Azure AD |
| O365 Add owner to application. | Other | o365:management:activity |
o365 |
| Windows Event Log System 7036 | Windows |
XmlWinEventLog |
XmlWinEventLog:System |
| Azure Active Directory Consent to application | Azure |
azure:monitor:aad |
Azure AD |
References
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://attack.mitre.org/groups/G0016/
Source: GitHub | Version: 4