New attack infrastructure established by SolarWinds hackers

Russian state-sponsored threat group Nobelium, which was behind the widespread SolarWinds hack, has been leveraging over four dozen domains impersonating real brands in new phishing attacks, reports CyberScoop. Nobelium, also known as CozyBear or APT29, has been frequently using the typosquatting technique in its attacks, with the newly-discovered domains found to emulate news and media organizations, a report from Recorded Future revealed. Ukrainian diplomats and NATO members were the most recent phishing targets of Nobelium, which had spoofed the U.S. Agency for International Development in a spearphishing attack last year. Domains leveraged in the USAID impersonating campaign have been seized by the U.S. Justice Department. While victims of the new campaign have not been clearly identified, the new domains have been associated with similar malware leveraged in old campaigns. Researchers also found that the new domains had significant overlaps with Nobelium infrastructure, prompting a high confidence in the association of the domains with Nobelium.