Home
-
Blog
-
How to detect network IoCs (URLs, Domains and IPs) in context of SNOWYAMBER, HALFRIG and QUARTERRIG in Sycope NSM?
16/04/2025

How to detect network IoCs (URLs, Domains and IPs) in context of SNOWYAMBER, HALFRIG and QUARTERRIG in Sycope NSM?

SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian secret services.

Author: Jan Rześny
SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian Federal Security Services and prepared the IoC how malicious activity can be detected. (More information in here: https://www.gov.pl/web/baza-wiedzy/kampania-szpiegowska-wiazana-z-rosyjskimi-sluzbami)

As we read in the information published:

There is significant overlap between various aspects of the current campaign, such as its infrastructure, techniques, and tools, with those described in previous campaigns referred to as “NOBELIUM” by Microsoft and “APT29” by Mandiant. The actor behind this campaign has been linked to other campaigns, including “SOLARWINDS,” as well as tools such as “SUNBURST,” “ENVYSCOUT,” and “BOOMBOX,” among others, all of which have intelligence-gathering purposes.

What sets this campaign apart from previous ones is the use of software that has not been publicly described before. Additionally, new tools were utilized alongside or instead of those that had become less effective, allowing the actor to maintain continuity of operations.

 

In Sycope NSM you can use below search to detect artifacts regarding malicious URLs, Domains and IP addresses.

lookupKeyExists(“MalciousUrls”, {“Url”: httpUrl}) or lookupKeyExists(“MaliciousDomains”, {“Domain”: httpHost}) or lookupKeyExists(“MalciousIPs”, {“Ip”: clientIp}) or lookupKeyExists(“MalciousIPs”, {“Ip”: serverIp})

HALFRIG Network IoCs QUARTERRIG SNOWYAMBER
You may also like
Blog
The cyberattacks – reminder of the importance of network monitoring and security
Remain alert. The cyberattacks are a stark reminder of the importance of cybersecurity and network monitoring in today's world.
Jan Rześny
16/04/2025
Read more >

    This week top knowledge
    Blog
    Multitenancy in Sycope
    Single Master Console instance dedicated for Service Providers to remotely manage local clients’ instances (tenants).
    Jan Rześny
    21/05/2025
    Read more >
    Blog
    How to use multi-layered approach in the cybersecurity strategy
    An overview of key cybersecurity product categories.
    Jan Rześny
    22/05/2025
    Read more >
    Blog
    Network flow monitoring – a valuable source of data for SIEM systems
    SIEM is the central security system for most organisations, network flow monitoring can help to increase companies’ defensive capabilities.
    Jan Rześny
    16/04/2025
    Read more >
    x
    Leveraging the nTop nDPI for Application Visibility within Sycope/nProbe integration
    < Previous video
    Next video >
    Leveraging the nTop nDPI for Application Visibility within Sycope/nProbe integration
    Products
    Products
    Visibility Performance Security Asset Discovery
    Resources
    Resources
    Resource library
    Documentation
     Integrations Case studies FAQ
    Company
    Company
    About Careers Partners For Investors
    © 2025 Sycope Ltd. All rights reserved. Privacy Policy
    This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.