SolarWinds hackers set up phony media outlets to trick targets

New infrastructure, old tricks.

The Russian hacking group behind the SolarWinds hack, Nobelium, is setting up new infrastructure to launch attacks using old tricks, researchers at Recorded Future found. The findings, published Tuesday and shared first with CyberScoop, demonstrate how the group has evolved in recent months in an effort to avoid researcher detection.

Researchers identified more than four dozen domains the group used in phishing attacks, some of which attempted to emulate real brands. The tactic, in which hackers register potentially misspelled versions of real brand domains to trick targets, is known as “typosquatting.”

By posing as legitimate-looking entities, hackers can more easily trick victims into clicking on links that may be used in credential theft and other crimes. Typosquatting is a common tool associated with Nobelium and has been used by the group in other campaigns, including recent attacks against Ukrainian targets.

The set of domains that Recorded Future identified emulated brands across industries but particularly focused on posing as news and media organizations. Researchers emphasized that the industries emulated did not necessarily equate to industries the group targeted.


Nobelium, also known as APT29 or CozyBear, is believed to have ties with the Russian Foreign Intelligence Service. Since making a splash with an extensive hacking campaign that exploited SolarWinds software, the group has kept busy trying to phish diplomats and international aid groups. Last May, the group launched a spearphishing attack posing as the U.S. Agency for International Development, leading to a Justice Department seizure of domains used in the campaign. 

Most recently, Microsoft researchers spotted Nobelium attempting to phish diplomats from Ukraine and NATO members.

Recorded Future researchers were unable to clearly identify victims tied to the newly identified domains, but found ties to the same malware used in previous campaigns. Researchers expressed high confidence in their findings given overlaps with previously identified Nobelium infrastructure, including the consistent use of specifically customized security certificates.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts