An analysis of Nobelium/APT29/CobyBear indicates that the Russian hackers responsible for the SolarWinds attack, are setting up new infrastructure for launching attacks. For example, the group has registered “typosquatting” domains to trick phishing targets into thinking they are dealing with legitimate web sites, with an emphasis on impersonating news and media organizations. The group has been trying to phish diplomats and international aid groups, with a recent focus on Ukraine and NATO targets. Last May the groups posed as the U.S. Agency for International Development using domains that the DOJ eventually seized.
Source:
