The Anssi has observed several phishing campaigns against French entities since February 2021, whose technical markers correspond to the modus operandi of Nobelium, the group to which the resounding SolarWinds affair is attributed. in the United States last year, AFP reports.
“ These campaigns made it possible to compromise the email accounts of French organizations, and to send to from these accounts e-mails tricked to foreign institutions in the diplomatic sector , ”says his report. “ In addition, French public organizations have also been the recipients of trapped messages from supposedly compromised foreign institutions “.
These malicious activities are the result of the same attacker modus operandi (MOA), which compromises the email accounts of trusted entities to send its phishing emails.
In these is an HTML attachment, named “ EnvyScout “, containing a Google Drive link that the user had to open to download the code malicious and execute the Cobalt Strike payload.
The infrastructure used by Nobelium in the attacks against French entities was mainly set up using virtual private servers (VPS) from different hosts (favoring OVH servers and located near the target countries), specifies Bleeping Computer.
The ANSSI report details the technical information related to phishing campaigns, the nature of the activities observed malware, TTPs and attackers’ infrastructure.
Recommendations and indicators of compromise are available at the end of the document, recommending to “ not to execute questionable files “, and to “ apply enhanced security measures ” to Active Directory servers.