Threats

SolarWinds hackers set up phony media outlets to trick targets

New infrastructure, old tricks.

May 3, 2022

The Russian hacking group behind the SolarWinds hack, Nobelium, is setting up new infrastructure to launch attacks using old tricks, researchers at Recorded Future found. The findings, published Tuesday and shared first with CyberScoop, demonstrate how the group has evolved in recent months in an effort to avoid researcher detection.

Researchers identified more than four dozen domains the group used in phishing attacks, some of which attempted to emulate real brands. The tactic, in which hackers register potentially misspelled versions of real brand domains to trick targets, is known as “typosquatting.”

By posing as legitimate-looking entities, hackers can more easily trick victims into clicking on links that may be used in credential theft and other crimes. Typosquatting is a common tool associated with Nobelium and has been used by the group in other campaigns, including recent attacks against Ukrainian targets.

The set of domains that Recorded Future identified emulated brands across industries but particularly focused on posing as news and media organizations. Researchers emphasized that the industries emulated did not necessarily equate to industries the group targeted.

Nobelium, also known as APT29 or CozyBear, is believed to have ties with the Russian Foreign Intelligence Service. Since making a splash with an extensive hacking campaign that exploited SolarWinds software, the group has kept busy trying to phish diplomats and international aid groups. Last May, the group launched a spearphishing attack posing as the U.S. Agency for International Development, leading to a Justice Department seizure of domains used in the campaign.

Most recently, Microsoft researchers spotted Nobelium attempting to phish diplomats from Ukraine and NATO members.

Recorded Future researchers were unable to clearly identify victims tied to the newly identified domains, but found ties to the same malware used in previous campaigns. Researchers expressed high confidence in their findings given overlaps with previously identified Nobelium infrastructure, including the consistent use of specifically customized security certificates.

SolarWinds hackers set up phony media outlets to trick targets

More Like This

Stolen Change Healthcare data could contain information on ‘a substantial portion’ of Americans

‘Large volume’ of data stolen from UN agency after ransomware attack

CISA emergency directive tells agencies to fix credentials after Microsoft breach

Top Stories

Iranian nationals charged with hacking U.S. companies, Treasury and State departments

Democratic operative behind Biden AI robocall says lawsuit won’t ‘get anywhere’

More Scoops

SolarWinds hackers kept busy in the year since the seminal hack, Mandiant finds

Latest Russian espionage activity is broader than SolarWinds-style hacking effort, Microsoft’s Tom Burt says

SolarWinds hackers targeted Autodesk in latest confirmed fallout from cyber-espionage campaign

SolarWinds says hackers used a zero-day flaw for ‘targeted attacks’ in a new breach

SolarWinds hackers had access to Denmark’s central bank, report says

Russian hackers breached Microsoft customer support to try phishing targets in 36 countries

Ex-US ambassador, anti-corruption activists in Ukraine were targets of suspected Russian phishing

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics