Analysis & Insights

Ensign Threat Advisory: SolarWinds Attackers NOBELIUM’s Next Wave

Ensign’s plans and procedures in response to the NOBELIUM threat actor group’s cyber attack campaigns.
Nobelium Banner

We would like to share with you the plans and procedures we've put in place in response to the cyber attack campaign operated by threat actor group, NOBELIUM. 

The Situation

 Microsoft Threat Intelligence Center (MSTIC) has uncovered an evolving and sophisticated wide-scale malicious email campaign operated by NOBELIUM, the group behind last year's SolarWinds supply chain attack. It was observed that the campaign operated since January 2021 with the group evolving its attack tactics in delivering the malicious package. 

Like most phishing tactics, the attackers attempt to lure users into opening the e-mail, followed by either opening a malicious file or clicking a malicious link. An example of this nature included e-mails purportedly originating from the USAID government agency with a lure referencing foreign threats to the 2020 US Federal Elections. It contained a malicious link that would result in a redirection request to download an ISO file on to the victims system. The ISO file contained both decoy and malicious files. If an unsuspecting victim opened the malicious files, the malware infection would begin, providing persistent remote access to the attackers. 

Interestingly, the phishing message and delivery method were not the only evolving factors in the campaign. In one of the more targeted waves, no ISO payload was delivered, but additional profiling of the target device was performed by an actor-controlled web server after a user clicked the link. If the device targeted was an Apple iOS device, the user was redirected to another server under NOBELIUM control, where the since-patched zero-day exploit for CVE-2021-1879 was served. 

The History

NOBELIUM, a group connected to Russia, has historically targeted government and non-government organisations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. In this case, Microsoft reported at least a quarter of targets work with international development, humanitarian, and human rights work. The phishing attack has so far targeted some 3,000 accounts at more than 150 organisations across multiple industries based in the United States and Europe. The victims span 24 countries, though most attacks were aimed at the US. 

The following industries have been observed being targeted thus far: 

  • NGOs 
  • Research Institutions 
  • Government Agencies 
  • International Agencies 

Microsoft further noted that this campaign differs significantly from NOBELIUM operations that ran from September 2019 until January 2021, which included the compromise of the SolarWinds Orion platform. It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents. 

Ensign Posture & Monitoring

Ensign has stepped up monitoring operations for our clients for both cloud and on-premise infrastructure. Our Managed Detection and Response platform and our proprietary machine learning analytics can detect and block malicious artifacts. Coupled with network layer defence, our protection controls prevent applications or users from accessing malicious sites. We have performed rounds of checks to verify security configurations and patches are up-to-date. 

Our Recommendations 

  • Keep systems fully patched.
  • Scan your environment for indicators of compromise (IOC) – see Microsoft Reference below.
  • Turn on cloud-delivered protection in your anti-virus software to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants. 
  • Run Endpoint Detection and Response (EDR) in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft anti-virus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode (EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.). 
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the Internet. 
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 
  • Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint. 
  • Enable multifactor authentication (MFA) to mitigate compromised credentials. 
  • Turn on the following attack surface reduction rule to block or audit activity associated with this threat: Block all Office applications from creating child processes (assess impact before enabling). 
  • Regularly conduct security awareness training Ensign will continue to provide updates on the incident and inform you of additional recommendations. 

If you require further cybersecurity advice or services, please contact us at