Nobelium: The Nation-State Hacker Group You All know but Never Heard of

Arguably one of the most sophisticated and elaborate cyber-attacks of recent was the infamous SolarWinds Supply-Chain Attack. The effects of this attack are wide reaching and still fairly unknown. With an initial compromise estimated in September 2019 and discovery in December 2020, it is impossible to truly calculate what kind of data was taken and other malware covertly installed. The sheer scale and level of complexity behind this hack is amazing! But who exactly is behind this infamous hack? Well would it surprise you if I told you, it was (most likely) a Russian state sponsored hacking group? In comes Nobelium.

Honestly, I was surprised that there wasn’t more information on this group or even much buzz about a name being assigned to this activity and other related matters. While scrolling through Mandiant’s blog, I discovered that Microsoft had assigned the group a name. They also associated tactics and specific malware to the group! I then went on a deep dive to find more information. I figured I would attempt to aggregate all the information onto one page. I have done my best to provide links if you need more detail.

Here is a list of various attacks and malware that have been attributed to Nobelium:

1. SolarWinds Supply Chain Attack – This refers to the original compromise of the product. See the first link for the Senate’s detailed report and overview.
2. SUNBURST Backdoor – This refers to a trojanized dll file (SolarWinds.Orion.Core.BusinessLayer.dll) that was installed after the initial compromise on SolarWinds product. This dll file was embedded in the product repository and distributed to numerous organizations and users. This malware opens up a backdoor with Nobelium’s known C2 infrastructure. Here is an article from the InfoSec Institute for further details.
3. TEARDROP Malware – Another malware associated with the SolarWinds hack. It is a Remote Access Trojan (RAT) disguised as another dll file. It attempts to setup remote access using code embedded in its memory from a legit Pentesting Tool, Cobalt Strike. This malware then allows for remote control, allowing the attacker to move laterally through an infected system. Utilizing this malware further recon can be performed or more malwares can be silently installed. For more detailed info as well as known signatures of this malware, check out Infoblox.
4. SUNSHUTTLE Malware – This is a secondary backdoor AGAIN associated with the SolarWinds attack. This backdoor is assumed to be installed after an initial backdoor is installed to ENSURE persistence. This malware is associated with a file called “Lexicon.exe”. It establishes connection with a server on a domain well known for hosting nation-state C2 infrastructure and is used in conjunction with SUNBURST. For more info, here is Mandiant.
5. GOLDMAX Malware – Mainly employed for continued persistence, this malware employs advance obfuscation techniques to stay hidden as long as possible. Yet another tool to provide a backdoor to the attacker, it establishes encrypted communication with a C2 network. According to Microsoft the C2 domains that it utilizes are often older and more established, thus making many security analysts overlook traffic flowing to this domain. Another interesting obfuscation technique that is used is the naming and data within the config file. While usually stored in an encrypted file called “features.dat.tmp”, this can vary by malware version number. Also, the attacker has the ability to change the data within the configuration file whenever. Thus, making a signature detection much more challenging. Other very interesting features of this malware are trigger dates, generating decoy traffic, etc. Unfortunately, this is a quick overview of GOLDMAX, for more details and to see where I found my info, please see this Microsoft Analysis.
6. SIBOT Malware – Considered to be in the same “family” as GOLDMAX, SIBOT has 3 different variants. All three have the same purpose of maintaining persistance and downloading other payloads from a remote C2 infrastructure (are we seeing a theme here?). Without getting into too much detail, SIBOT reaches out to compromised but legit websites and installs a dll file to your Driver folder in System32. Attackers can then update the dll file periodically instead of having to install new software on the victim machine. Some variants first download a Second Stage Script which can specify certain parameters prior to payload install. For a more detailed look and to where I got my info, please see the same Microsoft Analysis I linked previously.
7. GOLDFINDER Malware – This is the last known malware that I could find associated to Nobelium. This is also considered to be in the same family as GOLDMAX. This is less malware and more of a tool for the attacker. It appears to generate a log of the network route to an established C2 server. This is most likely to debug and provide more information when utilizing the other GOLDMAX associated malwares. For a more detailed look and to where I got my info, please see the same Microsoft Analysis I linked previously.

I hope you can see there is a theme here and it is common to all of these nation state groups, persistence. We can see that after an initial attack and compromise, numerous malwares are installed with the purpose of keeping this connection open. Backdoors upon backdoors! Nobelium’s malware exhibits advanced communication capabilities and obfuscation techniques. It is my opinion that as we see corporations and governments become more dependent on one another (if not merge) we will see more complex attacks on various US industries. As security professionals it is essential that we all keep track of the tactics and techniques of these groups regardless of our industry.