ANSSI observes spike in phishing campaigns, with Nobelium hackers likely behind the attacks

The ANSSI (French National Cybersecurity Agency) said on Monday that it has observed a number of phishing campaigns directed against French entities since February this year. The agency confirmed that it has also dealt with a series of phishing campaigns, with the numbers significantly rising in May. Technical indicators observed by ANSSI correspond to activities associated with the Nobelium intrusion set, ANSSI said. 

“Of particular note, the intrusion set involved during this malicious activity has succeeded in compromising email accounts belonging to French organisations, and then using these to send weaponised emails to foreign institutions,” the ANSSI said in its report. “Moreover, French public organisations have also been recipients of spoofed emails sent from supposedly compromised foreign institutions.” 

Technical indicators corresponding to activities associated with the Nobelium intrusion set were also released. “This intrusion set would have been used in other attack campaigns targeting diplomatic entities and international organisations across Europe and North America. Overlaps have also been identified in the tactics, techniques & procedures (TTP) between the phishing campaigns monitored by ANSSI and the supply chain attack via SOLARWINDS in 2020,” it added.

The payload delivered by the intrusion set is a Cobalt Strike implant, ANSSI said. It is configured to contact its command and control (C2) servers using HTTPs over port 443. The intrusion set’s C2 infrastructure is made up of virtual private servers (VPS) from different hosters. The intrusion set seems to favor servers located close to the target countries. In particular, several IP addresses within the C2 infrastructure belong to OVH, the agency added.

ANSSI also identified the domain names used by the intrusion set as Cobalt Strike C2 resemble legitimate domain names. “A number of domain names registered by the intrusion set mimic information and news websites. In the majority of cases, the intrusion set registers its domain names with NAMESILO and NAMECHEAP,” it added.

The French agencies recommended that suspicious files should not be executed given the detailed chain of compromise that mainly relies on the opening of a malicious file attachment as part of a phishing campaign. In addition, as the intrusion set tends to focus on Active Directory (AD) servers, in particular, organizations were advised to tighten security measures. 

The ANSSI’s alert comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) directed organizations to Microsoft’s blog on Nobelium attacks targeting cloud services and other technologies. The agency had at the time urged users and administrators to review and apply the necessary mitigations. 

On Monday, the Canadian Centre for Cyber Security (Cyber Centre), Canada’s authority on cyber security, said that it had knowledge of 235 ransomware incidents against Canadian victims from Jan. 1 to Nov. 16 this year. More than half of these victims were critical infrastructure providers. It is important to note, however, that most ransomware events remain unreported. The agency also added that once targeted, ransomware victims are often attacked multiple times. 

The Cyber Centre continues to regularly observe high-impact ransomware campaigns that can cripple businesses and critical infrastructure providers. The report said that “Critical infrastructure and large enterprises are the most lucrative ransomware targets, because they are the least able to tolerate operating disruptions and they have the deepest pockets.” 

In the initial six months of this year, over half of all Canadian victims were impacted by ransomware belonging to a critical infrastructure sector, such as energy, health, and manufacturing, the report added.

The German cybersecurity authority BSI has also warned of ransomware attacks over the Christmas holidays, fearing the return of the Emotet botnet. The BSI has also urged German organizations to patch their systems.

The U.S. CISA and the Federal Bureau of Investigation (FBI) have at the start of the current holiday season pressed upon all entities, especially critical infrastructure partners, to examine their current cybersecurity posture and implement best practices and mitigations to manage the risk posed by cyber threats.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.