Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

Content types

Products and services

Topics

Our story begins with eight Microsoft Detection and Response Team (DART) analysts gathered around a customer’s conference room to solve a cybersecurity mystery. Joined by members of the customer’s cybersecurity team, they were there to figure out how a Russia-based nation-state hacking group known as NOBELIUM had bypassed authentication checks and impersonated users to gain access to its data. This attack, later known as MagicWeb, wasn’t so much a whodunit as a how-done-it.

To discover potential security threats like MagicWeb, Microsoft DART uses the trillions of security signals that Microsoft tracks daily that help provide broad and deep insight into the threat landscape. Microsoft DART and the Microsoft Threat Intelligence Center (MSTIC) work together to find bad actors, understand their tactics, techniques, and procedures (TTPs), and alert the organizations that are, or could be, at risk. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information they need to secure their accounts. In some cases, the notified customers will engage with Microsoft DART and other industry partners on investigations, gathering new insights and disrupting the threat actors at each stage of the campaign.

NOBELIUM is an advanced and persistent adversary because of its tenacious attacks and ever-evolving TTPs. Most attackers play an impressive game of checkers, but increasingly we see advanced persistent threat actors playing a masterclass-level game of chess.

MagicWeb is a great example of NOBELIUM’s advanced attacks and was first profiled by Microsoft in August 2022. It was the first time that a Global Assembly Cache (GAC) implant was seen in the wild. This malware, later named MagicWeb, allows the attacker to authenticate as anyone in a targeted network and maintain persistent access to the customer environment they compromised. The team quickly homed in on examining certificate irregularities, which helped to solve the incident. The key to understanding MagicWeb lay in highly privileged certifications that NOBELIUM used to move laterally to gain administrative privileges to an Active Directory Federation Services (AD FS) system. The team discovered that NOBELIUM was using a compromised dynamic link library (DLL) that lived in an obscure GAC, a machine-wide cache for the common language infrastructure in the .NET framework.

Read the report to go deeper into the details of the attack, including NOBELIUM’s tactics, the response activity, and lessons that other organizations can learn from this case.

What is the Cyberattack Series?

With this new Cyberattack series, customers will discover how Microsoft incident responders investigate unique and notable exploits. For each attack story, we will share:

  • How the attack happened
  • How the breach was discovered
  • Microsoft’s investigation and eviction of the threat actor
  • Strategies to avoid similar attacks

Learn more

To learn more about Microsoft incident response capabilities, visit our website or reach out to your Microsoft account manager or Premier Support contact. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

Microsoft Defender Experts

See posts by this author

Microsoft Incident Response

See posts by this author

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads