? Malicious activities linked to the Nobelium intrusion set (19 juin 2024)

Several cyberattacks against French diplomatic entities can be linked to the Nobelium intrusion set. Nobelium is an intrusion set active since at least October 2020, used against high-value targets, most likely for espionage purposes. Western diplomatic entities, such as embassies and Ministries of Foreign Affairs, account for the majority of known victims of Nobelium. However, several IT companies have also reported that they have been targeted by Nobelium’s operators in late 2023 and 2024.

This document is based upon elements collected by ANSSI, elements shared by its national partners (known as C4 members), and publicly available reports. It exposes phishing campaigns linked to Nobelium against French public and diplomatic entities aiming to exfiltrate strategic intelligence. It also recapitulates attacks publicly attributed to Nobelium against international IT companies through which Nobelium’s operators potentially seek to strengthen their offensive capabilities.

The Nobelium intrusion set has been publicly linked to the Russian SVR by different sources. Nobelium’s activities against government and diplomatic entities represent a national security concern and endanger French and European diplomatic interests.

Indicators of compromise are available in structured formats on the page CERTFR-2024-IOC-001.

DOWNLOAD THE REPORT