SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian Federal Security Services.

SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian Federal Security Services and prepared the IoC how malicious activity can be detected. (More information in here: https://www.gov.pl/web/baza-wiedzy/kampania-szpiegowska-wiazana-z-rosyjskimi-sluzbami)

As we read in the information published:

There is significant overlap between various aspects of the current campaign, such as its infrastructure, techniques, and tools, with those described in previous campaigns referred to as "NOBELIUM" by Microsoft and "APT29" by Mandiant. The actor behind this campaign has been linked to other campaigns, including "SOLARWINDS," as well as tools such as "SUNBURST," "ENVYSCOUT," and "BOOMBOX," among others, all of which have intelligence-gathering purposes.

What sets this campaign apart from previous ones is the use of software that has not been publicly described before. Additionally, new tools were utilized alongside or instead of those that had become less effective, allowing the actor to maintain continuity of operations.

In Sycope NSM you can use below search to detect artifacts regarding malicious URLs, Domains and IP addresses.

lookupKeyExists("MalciousUrls", {"Url": httpUrl}) or lookupKeyExists("MaliciousDomains", {"Domain": httpHost}) or lookupKeyExists("MalciousIPs", {"Ip": clientIp}) or lookupKeyExists("MalciousIPs", {"Ip": serverIp})

‍