Nobelium APT

The Nobelium APT, also called Solarigate or UNC2542, is an Advanced Persistent Threat (APT) group whose members' origins are not yet clear. The criminals recently made headlines because of their successfully supply-chain attack against the SolarWinds software vendor. The criminals managed to utilize a wide range of implants to gain a foothold of key parts of SolarWinds' network, therefore gaining access to confidential information. However, SolarWinds is just one of the many targets of the Nobelium APT hackers. In the past, they have engaged in attacks against other US-based companies, usually operating in the government or technology sectors.

The group is one of the many to adopt the use of the Google Go programming language, which has been gaining popularity rapidly when it comes to malware development. Its primary advantage compared to more established languages, is that it might be a tad better when it comes to obfuscating code and making it more difficult to identify by security products. Of course, this does not mean that malware created with Go is undetectable - Nobelium APT's implants are already identified and removed by major anti-virus products.

Some of Nobelium APT's key malware implants used during the SolarWinds hack are SUNBURST, SUNSPOT and Raindrop. In addition to this, researchers attributed several older malware families to the same organization – the GoldMax Malware, the GoldFinder Malware and the Sibot Malware.

Nobelium APT's campaigns are thoroughly planned, and the criminals appear to rely exclusively on custom-built implants, which serve specific purposes. Unfortunately, this is unlikely to be the last news we hear about the Nobelium hackers and their activities. However, now that major cybersecurity companies are after them, it is very likely that their future malware projects will be identified and stopped before they get anywhere near the success of the SUNBURST and SUNSPOT campaigns.