Written by Tonya Riley
May 3, 2022 | CYBERSCOOP
The Russian hacking group behind the SolarWinds hack, Nobelium, is setting up new infrastructure to launch attacks using old tricks, researchers at Recorded Future found. The findings, published Tuesday and shared first with CyberScoop, demonstrate how the group has evolved in recent months in an effort to avoid researcher detection.
Researchers identified more than four dozen domains the group used in phishing attacks, some of which attempted to emulate real brands. The tactic, in which hackers register potentially misspelled versions of real brand domains to trick targets, is known as “typosquatting.”
By posing as legitimate-looking entities, hackers can more easily trick victims into clicking on links that may be used in credential theft and other crimes. Typosquatting is a common tool associated with Nobelium and has been used by the group in other campaigns, including recent attacks against Ukrainian targets.
The set of domains that Recorded Future identified emulated brands across industries but particularly focused on posing as news and media organizations. Researchers emphasized that the industries emulated did not necessarily equate to industries the group targeted.
Nobelium, also known as APT29 or CozyBear, is believed to have ties