8 minutes reading
Key Takeaways
- Fast phishing incident response reduces the impact of credential theft, malware, and account compromise.
- Employees should report suspicious emails immediately instead of deleting or ignoring them.
- Effective response plans combine user reporting, automated analysis, and rapid containment.
- Phishing simulations help organizations test and improve reporting behaviour over time.
- Continuous awareness training strengthens employee confidence in identifying and escalating threats.
The Nobelium hackers did not announce themselves with a ransom note or a defaced website. For over a year, they moved through thousands of networks, including those of US government agencies, without triggering a single alarm. By the time the breach was discovered in December 2020, the attack had already run its course.
The Nobelium group came to public attention when Microsoft flagged them on its website. At the end of December 2020, a series of advanced cyberattacks targeted SolarWinds Corporation. Russian hackers have long been accused of carrying out highly sophisticated cyber attacks, and this operation turned out to be among the most damaging ever recorded.
| Attribute | Detail |
|---|---|
| Group Name | Nobelium (also tracked as APT29, Cozy Bear) |
| Sponsoring Nation | Russia (SVR foreign intelligence service) |
| Primary Attack Vector | Supply chain compromise |
| Major Target | SolarWinds Orion Platform |
| Organizations Affected | 18,000+ (14 confirmed breaches) |
| First Identified | FireEye, December 2020 |
| Active Since | At least 2019 |
According to Microsoft, in May 2021, the Nobelium hacker group launched a campaign targeting 140 companies, of which 14 confirmed compromise cases were reported.
The cyberattacks by the Nobelium group were first identified by Microsoft Corporation, which classified the group as an Advanced Persistent Threat (APT) that targets network and cloud service providers through piggybacking.
Who Are the Nobelium Hackers?
Nobelium is a Russian state-sponsored hacking group, officially attributed to Russia’s SVR foreign intelligence service and widely linked to the APT29 threat actor cluster. They are best known for orchestrating the 2020 SolarWinds data breach, one of the largest supply-chain attacks on record.
The Nobelium hackers are a state-sponsored cybercriminal group believed to be backed by Russian intelligence, specifically the SVR (Russia’s Foreign Intelligence Service). Their primary approach is the supply chain attack, which they have used to target around 140 technology companies in the global IT supply chain.
Their campaigns typically start months or years before anyone realizes a breach has occurred. Rather than breaking in through a front door, they embed malicious code into trusted software channels so that their payload gets delivered to victims by the same update servers those organizations already rely on.
Nobelium is also tracked by different names across the security industry. Microsoft calls them Nobelium; other researchers have linked them to APT29 and Cozy Bear, the same group widely believed to have breached the Democratic National Committee in 2016. The group carries out attacks through phishing, spray-and-pray credential stuffing, token theft, and API abuse.
Is Nobelium Hackers Legit? A Word on Scams
If you received an email, message, or phone call from someone claiming to represent “Nobelium hackers,” whether they are demanding payment, threatening to release data, or offering to recover lost cryptocurrency, that is a scam. The real Nobelium group is a nation-state intelligence operation. They do not contact individuals or businesses directly demanding ransom. Any such communication is fraudulent and should be reported to your local cybercrime authority immediately.
What Happened at SolarWinds Corporation?
The Nobelium hackers infected a software product named Orion, developed and distributed by SolarWinds Corporation, and deployed it across thousands of systems through a supply-chain attack. In a supply chain attack, the attacker compromises a trusted software vendor rather than targeting end users directly, making detection far harder.
SolarWinds Corporation is a software company that provides system management and technical services to organizations globally. Their Orion platform was an IT performance management system with access to thousands of customers’ networks, making it an attractive target for a group seeking to reach as many high-value organizations as possible through a single point of compromise.
The Nobelium hackers inserted malicious code into the Orion network management system, which was used by numerous government agencies and multinational companies worldwide. Once in place, the Orion Platform created a backdoor that allowed the hackers to access accounts and impersonate users of victim organizations.
The update carrying the malware was deployed to around 18,000 customers. From there, Nobelium activated the backdoor selectively on its highest-value targets, including Microsoft, the US Treasury, the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Justice (DOJ). Among all the targeted US government agencies, 80% of the Department of Justice’s emails were compromised.
Microsoft later estimated that this level of attack would have taken approximately 1,000 engineers to execute.
Timeline of the SolarWinds Attack
- 4 September 2019: Nobelium hackers gain initial access to SolarWinds Corporation.
- 12 September 2019: The hackers inject test code and run a trial, employing a sophisticated injection technique to embed SUNBURST malicious code into the Orion Platform software. SUNBURST is the name given to the backdoor trojan, Nobelium, which hid within legitimate Orion software updates.
- 20 February 2020: The attackers compile and deploy the full SUNBURST attack.
- 4 June 2020: The SUNBURST malicious code is removed from SolarWinds systems. The payload had already been delivered.
- 8 December 2020: FireEye, a cybersecurity company, uncovers a breach in its own systems and begins an investigation.
- 12 December 2020: FireEye discloses that the breach was a result of a cyber attack on SolarWinds’ Orion Platform.
- 15 December 2020: SolarWinds releases a software fix.
The gap in this timeline warrants attention. Nobelium had access to SolarWinds infrastructure for over a year before anyone knew. The malware had completed its work well before a fix was ever issued.
How Was Nobelium Caught?
FireEye was the company that first identified the breach and alerted people globally. FireEye did not discover the attack through proactive threat hunting. They found it because their own systems had been compromised, and tracing that breach backward led to the poisoned Orion update.
Microsoft then took the initiative to explore the full extent of the attack. The infected software implanted by the Nobelium hackers remained undetected until December 2020. Microsoft subsequently released a series of technical guidelines for affected customers.
The group responsible remained unidentified until January 2021, when the US Intelligence Community formally accused the Russian state of sponsoring the operation. Between July and mid-October of 2021, threat actors from Nobelium attacked 609 customers approximately 22,868 times. Over three years, Microsoft notified customers about state-sponsored cyberattacks around 20,500 times.
Nobelium has remained active well beyond the SolarWinds breach. Microsoft has continued to track and report on Nobelium campaigns targeting government agencies, IT service providers, and think tanks across the US and Europe, confirming that the group did not stand down after the 2020 attack was exposed.
State-Sponsored Cyber Attack Groups
Nation-state cyberattacks are carried out in the interest of a host country to damage the target nation, and thus fall into a different category from financially motivated cybercrime. They are backed by government resources and operate with objectives that go beyond money, targeting critical infrastructure, intelligence agencies, and government systems. Some of the most active state-sponsored groups currently tracked include:
- Cozy Bear / APT29 (allegedly backed by Russia, linked to Nobelium)
- Fancy Bear / APT28 (allegedly backed by Russia)
- Lazarus Group (allegedly backed by North Korea)
- Double Dragon / APT41 (allegedly backed by China)
Every organization continues to improve its cyber infrastructure to defend against such attacks, while threat actors continue to develop new methods to carry them out. Among all types of cyber attacks, malware-based attacks remain the most common. Ransomware is a prominent example, and some groups have developed a business model around it, offering Ransomware-as-a-Service to clients who want to attack other organizations.
Read more: Ransomware as a Service Attack
How to Protect Your Organization Against Supply Chain Attacks
The SolarWinds breach showed that organizations often trust their software vendors without verifying their credentials. When an attacker gains access to that vendor, victims have no obvious reason to be suspicious because the malicious update is coming from a source they have already approved and rely on.
Verify software update integrity. Before deploying any third-party software update, verify its cryptographic signature against the vendor’s published key. Most major vendors provide hash values or digital certificates for this purpose. An update that cannot be verified should not be deployed.
Adopt a zero-trust network model. The Nobelium hackers moved laterally through victim networks because those networks trusted connected systems by default. A zero-trust approach requires that every device, user, and application continuously authenticate, regardless of where they sit on the network.
Limit third-party access. Audit every vendor and tool with access to your network and apply the principle of least privilege to all of them, not just internal users. Nobelium exploited the broad network access that SolarWinds’ Orion required to function.
Run security awareness training. Many of Nobelium’s follow-on attacks after the initial SolarWinds breach came through targeted spear-phishing. Employees who can spot suspicious emails stop many attacks before they reach the network.
Monitor for unusual behavior. Tools that establish a baseline of normal network activity and flag deviations, even from trusted software, can catch supply chain attacks before they escalate. SUNBURST was built to blend in with normal Orion traffic; behavioral monitoring is one of the few controls capable of catching that.
Book a Free Demo Call with Our People Security Expert
Enter your details
Most ransomware attacks are also carried out through email spamming or email spoofing. Those emails lure targets into clicking links to phishing websites or into opening attachments that deliver malware. This is why security awareness training matters alongside technical controls. Organizations that train employees to identify and report suspicious communications cut down their exposure across all threat categories.
FAQs
Is Nobelium hackers legit or a scam?
The Nobelium hacker group is a real, state-sponsored APT operation. However, any email, call, or message you receive from someone claiming to be "Nobelium hackers" demanding payment or threatening to release your data is a scam. The actual group does not contact individuals or businesses directly.
Is Nobelium still active?
Yes. Microsoft has continued tracking Nobelium activity well beyond the 2020 SolarWinds breach, with confirmed campaigns targeting government agencies, IT service providers, and think tanks across the US and Europe through 2021 and beyond.
Security Compliance Executive
Department: Compliance, Threatcop
Sanjana is a Security Compliance Executive working on best-of-the-industry-level compliances relevant from a cybersecurity perspective, their implementation, learning and outcomes in various business domains.
