{"id":102834,"date":"2021-12-15T09:00:00","date_gmt":"2021-12-15T17:00:00","guid":{"rendered":""},"modified":"2025-06-20T08:57:59","modified_gmt":"2025-06-20T15:57:59","slug":"a-report-on-nobeliums-unprecedented-nation-state-attack","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/12\/15\/a-report-on-nobeliums-unprecedented-nation-state-attack\/","title":{"rendered":"A report on NOBELIUM\u2019s unprecedented nation-state attack"},"content":{"rendered":"\n

This is the final post in a four-part series on the NOBELIUM nation-state cyberattack.<\/em> In December 2020, Microsoft began sharing details with the world about what became known as the most sophisticated nation-state cyberattack in history. Microsoft\u2019s <\/em>four-part video series<\/em><\/a> \u201cDecoding NOBELIUM\u201d pulls the curtain back on the NOBELIUM incident and how world-class threat hunters from Microsoft and around the industry came together to take on the most sophisticated nation-state attack in history. In this last post, we\u2019ll<\/em> reflect on lessons learned as covered in the <\/em>fourth episode<\/em><\/a> of the docuseries. <\/em><\/p>\n\n\n\n

Nation-state attacks are a serious and growing threat that organizations of all sizes face. Their primary objective is to gain strategic advantage for their country, such as by stealing secrets, gathering cyber intelligence, conducting reconnaissance, or disrupting operations. These efforts are typically conducted by state-sponsored actors with significant expertise and funding, making them a particularly challenging adversary to defend against.<\/p>\n\n\n\n

NOBELIUM, a Russian-linked group, is perhaps best known for the widespread SolarWinds supply chain breach. The incident was part of an even larger and more advanced campaign that had been quietly underway for more than a year. As details of this attack were uncovered, it became clear that it was the most sophisticated nation-state cyberattack in history.<\/p>\n\n\n\n

In the final episode<\/a> of our \u201cDecoding NOBELIUM\u201d series, we provide an after-action report that explores Microsoft\u2019s findings and discusses lessons learned.<\/p>\n\n\n\n

NOBELIUM deployed extensive tactics<\/h2>\n\n\n\n

Let\u2019s start by reviewing the key stages of the attack.<\/p>\n\n\n\n

The intrusion<\/h3>\n\n\n\n

It\u2019s critical to understand how NOBELIUM achieved penetration into environments. Going beyond the supply chain compromise, this actor also deployed many common-place tactics like password spraying or exploiting the vulnerabilities of unpatched devices to steal credentials and gain access to systems. Ultimately, NOBELIUM leveraged a wide range of techniques to achieve penetration and adapted their toolset to each victim\u2019s unique environment in order to achieve their goals.<\/p>\n\n\n\n

The <\/strong>exploitation<\/h3>\n\n\n\n

Once NOBELIUM had gained entry, they followed the typical pattern for internal reconnaissance: discover the elevated accounts, find out which machines were there, and create a sophisticated map to understand how to reach their targets. They demonstrated extensive knowledge of enterprise environments and cybersecurity systems by evading defenses, masking activities in regular system processes, and hiding malware under many layers of code.<\/p>\n\n\n\n

The exfiltration<\/h3>\n\n\n\n

Armed with an understanding of their target\u2019s environment, NOBELIUM executed their plan\u2014gaining access to their source codes, harvesting emails, or stealing production secrets.<\/p>\n\n\n\n

NOBELIUM demonstrated patience and stealth<\/h2>\n\n\n\n

The NOBELIUM group moved methodically to avoid getting caught. \u201cThey were so deliberate and careful about what they did. It wasn\u2019t like a smash and grab, where they came in and just vacuumed up everything and fled,\u201d said Security Analyst Joanne of the Microsoft Digital Security and Resilience (DSR) Security Operations Center (SOC) Hunt Team.<\/p>\n\n\n\n

It took time to move undetected through networks, gathering information and gaining access to privileged networks. For example, they disabled organizations’ endpoint detection and response (EDR) solutions from being launched upon system startups. NOBELIUM then waited up to a month for computers to be rebooted on a patch day and took advantage of vulnerable machines that hadn\u2019t been patched.<\/p>\n\n\n\n

\u201cThe adversary showed discipline in siloing all of the technical indicators that would give up their presence,\u201d said John Lambert, General Manager of the Microsoft Threat Intelligence Center. \u201cMalware was named different things. It was compiled in different ways. The command and control domains they would use differed per victim. As they moved laterally within a network from machine to machine, NOBELIUM took great pains to clean up after each step.\u201d<\/p>\n\n\n\n

Preparing for future nation-state attacks<\/h2>\n\n\n\n

When adversaries take this much care in hiding their activities, it can take the detection of many seemingly benign activities across different vectors pulled together to highlight one overall technique.<\/p>\n\n\n\n

\u201cIn order to respond to an attack like NOBELIUM, with its scope and breadth and sophistication, you need to have visibility into various entities across your entire digital state,\u201d explains Sarah Fender, Partner Group Program Manager for Microsoft Sentinel<\/a>. \u201cYou need to have visibility into security data and events relating to users and endpoints, infrastructure, on-premises and in the cloud, and the ability to quickly analyze that data.\u201d<\/p>\n\n\n\n

NOBELIUM leveraged users and credentials as a critical vector for intrusion and escalation. Identity-based attacks are on the rise. \u201cOnce I can authenticate into your environment, I don’t need malware anymore, so that means monitoring behaviors,\u201d says Roberto, Principal Consultant and Lead Investigator for Microsoft\u2019s Detection and Response Team. \u201cBuilding a profile for when Roberto’s using his machine, he accesses these 25 resources, and he does these kinds of things and he’s never been in these four countries. If I ever see something that doesn’t fit that pattern, I need to alert on it.\u201d <\/p>\n\n\n\n

Bottom line: ensure you are protecting your identities.<\/strong><\/p>\n\n\n\n

Finally, if we\u2019ve learned anything, it\u2019s that we need to take care of our security teams, especially during a cybersecurity incident. <\/p>\n\n\n\n

\u201cDefender fatigue is a real thing,\u201d says Lambert. \u201cYou have to be able to invest in those defenders so that they can surge when they need to. Security, like other professions, is not just a job, it’s also a calling. But it also leads to fatigue and exhaustion if the incident drumbeat is too strong. You have to have reserves and plan for that so that you can support your defenders and rest them in between incidents.\u201d<\/p>\n\n\n\n

As we prepare for future attacks, it comes down to joining forces. <\/p>\n\n\n\n

“When I think about what this incident means going forward, it certainly reinforces the need for the world to work together on these threats,\u201d explains Lambert. \u201cNo one company sees it all and it is very important, especially with sophisticated threats, to be able to work very quickly with lines of trust established. This is not just about companies working together, it’s also about individuals trusting each other, impacted companies, fellow security industry companies, and government institutions.\u201d<\/p>\n\n\n\n

How can you protect your organization and defenders?<\/h2>\n\n\n\n

Learn more in the final episode<\/a> of our four-part video series<\/a> \u201cDecoding NOBELIUM,\u201d where security professionals give insights from the after-action report on NOBELIUM. Thanks for joining us for this series and check out the other posts in the series:<\/p>\n\n\n\n