Russia's cyber spies still threatening French national security, democracy
Publishing right before a major election is apparently just a coincidence
A fresh report into the Nobelium offensive cyber crew published by France's computer emergency response team (CERT-FR) highlights the group's latest tricks as the country prepares for a major election and to host this year's Olympic and Paralympic Games.
Most infoseccers will know Nobelium/Midnight Blizzard as the Russian intelligence (SVR)-linked criminals responsible for the major supply chain attack on SolarWinds in 2021, but CERT-FR believes sharing information about the latest exploits may stifle the gang's threat to national security in the coming months.
Nobelium's activity is often also tied to the APT29 moniker, but the French cybersecurity agency (ANSSI) believes Nobelium is in fact a distinct intrusion set. It says the true APT29 was active between 2008-2019 and was responsible for the attack on the US DMC, while Dark Halo was the group that carried out the SolarWinds breach. To ANSSI, Nobelium is a separate entity but like the other two, is linked to the Russian intelligence service. ANSSI says it was spun up in October 2020.
It's targeting diplomats, ministry officials
The researchers say its main focus is espionage, and claim it often targets the email accounts of diplomatic staff, their institutions, embassies, and consulates using phishing emails sent from foreign institutions that have already been previously compromised by Nobelium.
CERT-FR's report states that the French public sector has been attacked several times by the group using this business email compromise (BEC) style of attack.
For example, "a variety of entities, including the French Ministry of Foreign Affairs" were targeted in the months of February-May 2021, which led to the attempted deployment of Cobalt Strike presumably to allow remote access. It was unsuccessful, but was just one of many serious attempts to breach and gather intelligence from the French government.
The following year, Nobelium again tried to get one over on the French foreign ministry, targeting dozens of email addresses with phishing emails themed around the closure of a Ukrainian embassy or an appointment with a Portuguese ambassador.
In May 2023, the French embassy was one of many embassies in Ukraine to be targeted by Nobelium – the group used lures themed around selling a diplomatic car. Its embassy in Romania was also targeted unsuccessfully in the same month.
"ANSSI and [national partners (C4)] members consider that the imputation of these activities against French diplomatic entities to Nobelium is consistent," the report [PDF] reads.
"The tools and infrastructures employed by the attackers show similarities with other Nobelium-linked campaigns. The victims of these activities aiming to exfiltrate strategic intelligence are consistent with the usual targeting associated with Nobelium by other observers. The capabilities implemented to compromise such a vast number of email accounts, the persistence of the attacks, the efforts put into the forgery of lure documents indicate that Nobelium is almost certainly operated on behalf of a state actor."
While the report hasn't specifically been linked to increased detection of Russian aggression against the French government as its election period approaches, the timing of its publication is unlikely to be a mere coincidence.
CERT-FR concludes that Nobelium presents a genuine threat to both national security and the diplomatic interests of France and wider Europe.
Despite not carrying out a major attack on the French government and its home ground since 2022, at least according to the timeline CERT-FR provided, there is clear concern about the Russians and what they might be hatching over the coming weeks.
No smoke without fire
France has a few good reasons to suspect a little Russian interference in the near future. In addition to the various attacks on its institutions, as recently as this year its European affairs minister Jean-Noel Barrot said Russia was responsible for a disinformation campaign to undermine president Emmanuel Macron.
Close followers of French current affairs will remember the hysteria surrounding the creepy crawly scare concerning a supposed bed bug infestation in Paris last year.
Barrot said the government believed Russian social media bots deliberately amplified the negative messaging around the incident and tried to pin the whole thing on the arrival of Ukrainian refugees to the French capital.
Going back to France's last presidential election, Macron was again the prime target of Russia's disinformation efforts after Russian intelligence breached the president's computer, leaking a trove of documents – padded out with some fakes to assist the messaging – in an attempt to stoke division in French society.
- Microsoft answered Congress' questions on security. Now the White House needs to act
- Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended
- Pentagon 'doubling down' on Microsoft despite 'massive hack,' senators complain
- A tale of two Chinas: Our tech governance isn't perfect, but we still get to say no
The so-called Macron Leaks were a failure, however, and Russia wasn't able to achieve any success comparable to that which was allegedly seen with the Brexit referendum [PDF] and Donald Trump's election victory in 2016.
"The 2017 French presidential election remains the clearest failed attempt by a foreign entity to influence an electoral process in recent years," wrote Heather A Conley and Jean-Baptiste Jeangène Vilmer for the Center for Strategic and International Studies (CSIS).
"Taking aim at presidential candidate Emmanuel Macron, Russian interference succeeded neither in interfering with the election nor in antagonizing French society."
Over in the private sector, Microsoft recently shone a light on Russia's ongoing efforts to spread disinformation around the upcoming Olympic and Paralympic Games from which its athletes are banned.
It has been using deepfake technology, along with the usual promotion of fake news stories to spread anti-Ukraine propaganda and claims about Macron's supposed indifference to France's socio-economic struggles, for example.
The attacks follow similar campaigns targeting both the Summer and Winter Games in recent years. Russia, researchers claimed, tried to frame North Korea for the malware attacks on its friendlier, southern neighbors when that nation hosted the 2018 Winter Games, for example, and also more recently the Tokyo Games in 2020. ®