New Malware Uncovered Linked to Nobelium’s Supply Chain Attacks
On Wednesday, cybersecurity researchers unveiled a previously unreported backdoor likely developed by Nobelium, the advanced persistent threat group responsible for last year’s SolarWinds supply chain attack. This latest malware, codenamed “Tomiris” by Kaspersky, further expands an arsenal of hacking tools employed by this notorious threat actor.
Nobelium, also recognized as UNC2452, SolarStorm, and Dark Halo, is known for its sophisticated cyber operations. Kaspersky researchers noted that Tomiris bears strong similarities to another malware variant used in their campaigns, specifically SUNSHUTTLE, which targeted the IT management software provider’s Orion platform. This advanced threat group has demonstrated an ability to exploit vulnerabilities meticulously, emphasizing the high-profile nature of their targets.
The Tomiris backdoor, discovered in June from samples dating back to February, is designed in the Go programming language and is typically deployed via successful DNS hijacking attacks. During these attacks, unsuspecting users trying to access corporate email services are redirected to a malicious domain, tricked into downloading the malware under the pretense of a security update. These targeted operations have primarily affected several government organizations in an undisclosed member state of the Commonwealth of Independent States (CIS).
Kaspersky researchers emphasized that the main objective of the Tomiris backdoor is to establish a foothold within infected systems, facilitating the download of additional malicious components. Findings indicate notable similarities in encryption methods and spelling errors, suggesting a potential link in authorship or shared development practices among various malware employed by Nobelium.
In the MITRE ATT&CK framework, this campaign demonstrates tactics characteristic of initial access, particularly through the DNS hijacking method. Additionally, techniques related to persistence and potentially privilege escalation could have been utilized as the attackers sought to maintain their foothold within targeted networks.
This is not the first instance of overlapping techniques discovered among malware used by Nobelium. Kaspersky’s earlier analysis of Sunburst, another malware associated with the SolarWinds attack, unveiled shared features with Kazuar, a .NET-based backdoor attributed to the Turla group. The detection of Tomiris on networks also harboring Kazuar raises further questions about the interconnectedness of these threats.
While some researchers suggest that this overlap could indicate coordinated efforts among threat actors, there remains a possibility that it represents a false flag operation, wherein attackers replicate the tactics of known adversaries to mislead analysts and obscure their true origins.
This revelation comes shortly after Microsoft disclosed the existence of FoggyWeb, another targeted implant used by Nobelium to deliver additional payloads and extract sensitive information from Active Directory Federation Services (AD FS) servers. The ongoing developments highlight the evolving nature of cybersecurity threats, underscoring the need for enhanced vigilance among businesses and organizations that handle sensitive information.
For companies navigating these challenges, staying informed of such threats is vital. Understanding the tactics and implications associated with advanced persistent threats can enhance cybersecurity postures and foster resilience against the ever-evolving landscape of cyber-attacks.
