Threats

SolarWinds hackers set up phony media outlets to trick targets

New infrastructure, old tricks.

May 3, 2022

The Russian hacking group behind the SolarWinds hack, Nobelium, is setting up new infrastructure to launch attacks using old tricks, researchers at Recorded Future found. The findings, published Tuesday and shared first with CyberScoop, demonstrate how the group has evolved in recent months in an effort to avoid researcher detection.

Researchers identified more than four dozen domains the group used in phishing attacks, some of which attempted to emulate real brands. The tactic, in which hackers register potentially misspelled versions of real brand domains to trick targets, is known as “typosquatting.”

By posing as legitimate-looking entities, hackers can more easily trick victims into clicking on links that may be used in credential theft and other crimes. Typosquatting is a common tool associated with Nobelium and has been used by the group in other campaigns, including recent attacks against Ukrainian targets.

The set of domains that Recorded Future identified emulated brands across industries but particularly focused on posing as news and media organizations. Researchers emphasized that the industries emulated did not necessarily equate to industries the group targeted.

Nobelium, also known as APT29 or CozyBear, is believed to have ties with the Russian Foreign Intelligence Service. Since making a splash with an extensive hacking campaign that exploited SolarWinds software, the group has kept busy trying to phish diplomats and international aid groups. Last May, the group launched a spearphishing attack posing as the U.S. Agency for International Development, leading to a Justice Department seizure of domains used in the campaign.

Most recently, Microsoft researchers spotted Nobelium attempting to phish diplomats from Ukraine and NATO members.

Recorded Future researchers were unable to clearly identify victims tied to the newly identified domains, but found ties to the same malware used in previous campaigns. Researchers expressed high confidence in their findings given overlaps with previously identified Nobelium infrastructure, including the consistent use of specifically customized security certificates.

SolarWinds hackers set up phony media outlets to trick targets

More Like This

More bugs in Palo Alto Expedition see active exploitation, CISA warns

Moody’s Rating adds telecoms, airlines, utilities to highest risk category

Biden administration nears completion of second cybersecurity executive order with plethora of agenda items

Top Stories

NSO Group used WhatsApp exploits after the messaging app sued the spyware developer, court filing says

HackerOne urges U.S. to advocate for research protections in UN cybercrime treaty

More Scoops

CISA emergency directive tells agencies to fix credentials after Microsoft breach

SolarWinds hackers kept busy in the year since the seminal hack, Mandiant finds

Latest Russian espionage activity is broader than SolarWinds-style hacking effort, Microsoft’s Tom Burt says

SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign

SolarWinds hackers had access to Denmark’s central bank, report says

Russian hackers breached Microsoft customer support to try phishing targets in 36 countries

Ex-US ambassador, anti-corruption activists in Ukraine were targets of suspected Russian phishing

Latest Podcasts

Special CyberTalks Edition with National Cyber Director Harry Coker

Securing the Skies: Aerospace Cybersecurity with David Brumley

Verizon’s Lamont Copeland on defending against the expanding attack surface

Cisco’s Jane Zipoli on how cloud services affect real-time threat detection

Government

Technology

Threats

Geopolitics