Cozy Bear Goes Typosquatting
Researchers at Recorded Future’s Insikt Group warn that the Russian threat actor NOBELIUM (also known as APT29 or Cozy Bear) is using typosquatting domains to target the news and media industries with phishing pages.
“From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure,” the researchers write. “In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators. A key factor we have observed from NOBELIUM operators involved in threat activity is a reliance on domains that emulate other brands (some legitimate and some that are likely fictitious businesses). Domain registrations and typosquats can enable spear phishing campaigns or redirects that pose a threat to victim networks and brands.”
Recorded Future notes that the threat actor is effectively imitating the targeted companies.
“Analysis of recent and historical domains attributed to NOBELIUM broadly demonstrates the group’s familiarity with, and tendency to emulate, a variety of media, news and technology providers,” the researchers write. “The group has abused dynamic DNS resolution to construct and resolve to randomly generated subdomains for its C2s or root domains to mislead victims. The key aspect to these attacks is the use of either email addresses or URLs that look similar to the domain of a legitimate organization. Potentially harmful domain registrations and typosquats can enable spear phishing campaigns or redirects that pose an elevated risk to a company’s brand or employees.”
The researchers add that spear phishing is a common technique used by both criminal and nation-state threat actors.
“A successful spear phish is dependent on factors such as the quality of the message, the credibility of the sender address, and, in the case of a redirecting URL, the credibility of the domain name,” the researchers write. “Insikt Group has previously observed other Russian nexus groups using typosquatting in support of operations, such as those aimed at the 2020 presidential elections, to increase confidence in the validity of the fraudulent login portal used to harvest victim credentials. This tactic has also been reported recently in open sources in connection with intrusions targeting entities in Ukraine, likely in support of Russia’s invasion of the country.”