Analytics Story: NOBELIUM Group
Description
NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon's Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.
Why it matters
This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| O365 Update application. | Other | o365:management:activity |
o365 |
| O365 MailItemsAccessed | Other | o365:management:activity |
o365 |
| Azure Active Directory Add service principal |  Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add member to role | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Sign-in activity | Azure |
azure:monitor:aad |
Azure AD |
| Palo Alto Network Traffic |  Network |
pan:traffic |
not_applicable |
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| O365 Consent to application. | Other | o365:management:activity |
o365 |
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Azure Active Directory Add owner to application | Azure |
azure:monitor:aad |
Azure AD |
| O365 UserLoginFailed | Other | o365:management:activity |
o365 |
| O365 Add owner to application. | Other | o365:management:activity |
o365 |
| O365 | Other | o365:management:activity |
o365 |
| Azure Active Directory | Azure |
azure:monitor:aad |
Azure AD |
| Cisco Secure Access Firewall | Other | cisco:cloud_security:firewall |
cisco_secure_access:firewall |
| Sysmon EventID 7 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon EventID 22 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| O365 Add service principal. | Other | o365:management:activity |
o365 |
| Azure Active Directory Update application | Azure |
azure:monitor:aad |
Azure AD |
| Windows Event Log System 7036 | Windows |
XmlWinEventLog |
XmlWinEventLog:System |
| Azure Active Directory Consent to application | Azure |
azure:monitor:aad |
Azure AD |
| Azure Active Directory Add app role assignment to service principal | Azure |
azure:monitor:aad |
Azure AD |
References
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://attack.mitre.org/groups/G0016/
Source: GitHub | Version: 4