SolarWinds Actors Eye Hub Firms for Prime Targets

The Russian APT group known as Cozy Bear doesn’t hibernate for long, and in late October Microsoft warned that the nation-state actor was trying to replicate the success of its SolarWinds supply chain attack — this time by compromising IT resellers and tech/cloud service providers and then impersonating them in order to target their customers.

On the heels of that report, researchers from Israeli cyber assessment and optimization firm CYE released their own findings, which show that Cozy Bear — aka Nobelium or APT29 — is not putting all its eggs in one basket. CYE reported what it claims is previously unreported Nobelium activity involving an unknown C2 malware, along with new TTPs and IOCs.

The company says its recently established counter threat intelligence and digital forensics incident response teams engaged with the Russian threat actor across multiple incidents, and in doing so found a malware that is composed of JavaScript and Powershell and exploits the use of Windows .hta (HTML) applications. The malware establishes a connection between a compromised machine and a legitimate domain that the attackers have compromised and taken control of — for what purpose CYE does not know.