As we read in the information published:
There is significant overlap between various aspects of the current campaign, such as its infrastructure, techniques, and tools, with those described in previous campaigns referred to as “NOBELIUM” by Microsoft and “APT29” by Mandiant. The actor behind this campaign has been linked to other campaigns, including “SOLARWINDS,” as well as tools such as “SUNBURST,” “ENVYSCOUT,” and “BOOMBOX,” among others, all of which have intelligence-gathering purposes.
What sets this campaign apart from previous ones is the use of software that has not been publicly described before. Additionally, new tools were utilized alongside or instead of those that had become less effective, allowing the actor to maintain continuity of operations.
In Sycope NSM you can use below search to detect artifacts regarding malicious URLs, Domains and IP addresses.
lookupKeyExists(“MalciousUrls”, {“Url”: httpUrl}) or lookupKeyExists(“MaliciousDomains”, {“Domain”: httpHost}) or lookupKeyExists(“MalciousIPs”, {“Ip”: clientIp}) or lookupKeyExists(“MalciousIPs”, {“Ip”: serverIp})
FAQ
There is significant overlap in infrastructure, techniques, and tools with previous campaigns referred to as "NOBELIUM" by Microsoft and "APT29" by Mandiant.
The actor behind this campaign has been linked to "SOLARWINDS," and uses tools like "SUNBURST," "ENVYSCOUT," and "BOOMBOX" for intelligence-gathering purposes.
This campaign uses software that has not been publicly described before and new tools to maintain continuity of operations despite some older tools becoming less effective.
You can use specific search commands like lookupKeyExists("MalciousUrls", {"Url": httpUrl}), lookupKeyExists("MaliciousDomains", {"Domain": httpHost}), or lookupKeyExists("MalciousIPs", {"Ip": clientIp}) and lookupKeyExists("MalciousIPs", {"Ip": serverIp}).
