Nobelium Groups UNC3004 and UNC2652 from Mandiant

Industry: Government & Technology | Level: Tactical | Source: Mandiant

Mandiant continues to track activity from Nobelium, specifically associated with cluster groups UNC3004 and UNC2652. Activities conducted by the group have involved data exploits relevant to Russian interests. Targets observed by Mandiant included, compromising technology solution companies, services and resellers. The groups use credentials likely from info-stealer malware or compromised entities and a new downloader dubbed "CEELOADER." Abusing Azure permissions and commands, harvesting mail data from user accounts with application impersonation privileges, abusing MFA push notifications, utilizing many native Windows services for lateral movement, discovery, credential access and data collection through RAR/7zip file and exfiltrated to Mega cloud storage are many of the tactics Nobelium has been utilizing.

• Anvilogic Scenario: APT29/Nobelium Behaviors
• Anvilogic Use Cases:
• Azure Command Execution on Virtual Machine
• Task Manager lsass Dump
• NTDSUtil.exe execution