APT29, believed to be an espionage group from Russia, became known for launching targeted attacks against organizations in Ukraine. But over the course of investigating the threat group, Mandiant discovered that it may have a hand in cybercriminal operations, specifically phishing, as well.

As far as security researchers could tell, APT29’s cybercriminal arm went by the moniker “NOBELIUM,” which has been trailing its sights on Microsoft’s cloud-based products. An in-depth investigation on the threat identified 48 indicators of compromise (IoCs)—41 domains and seven IP addresses to date.

The WhoisXML API research team expanded this list of IoCs in search of more artifacts potentially connected to APT29’s phishing operation arm NOBELIUM and uncovered:

• 13 unreported IP addresses to which some of the domains identified as IoCs resolved, 10 of which turned out to be malicious based on malware checks
• 422 unreported domains that shared the IP addresses of some of the IoCs and additional resolutions as hosts
• 577 domains and subdomains containing strings related to five of Microsoft’s cloud services, 10 of which turned out to be malware hosts based on bulk malware checks

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the IoCs

We started our DNS deep dive into APT29’s phishing operation by looking for more information on the NOBELIUM IoCs.

A bulk WHOIS lookup for the 41 domains identified as IoCs led to these discoveries:

• The top 3 registrars were Namecheap (12 domains), MarkMonitor (six domains), and GoDaddy.com (three domains). Thirteen of the IoCs didn’t have publicly viewable registrars. The remaining seven domains were spread across six other registrars.

  

• The IoCs were created between 1999 and 2023, which could mean the threat actors didn’t discriminate when it came to domain age.
• A majority of the IoCs were registered in the U.S. (15 domains) and Iceland (11 domains).

A bulk IP geolocation lookup, meanwhile, for the seven IP addresses identified as IoCs led to these findings:

• The IP addresses were geolocated in five countries led by the U.K. (three IoCs). The remaining four originated from Australia, France, Romania, and Ukraine.
• None of the IP addresses shared an Internet service provider (ISP).

IoC List Expansion Findings

In a bid to find other potential NOBELIUM artifacts, we ran historical WHOIS searches on the 41 domains identified as IoCs and found that the registrants of 22 of them registered 22 other domains that aren’t part of the current IoC list.

We then subjected them to DNS lookups that uncovered 13 unreported IP addresses to which some of the domains identified as IoCs resolved. Three of them hosted several domains as shown in the table below.

Ten of the 13 IP resolutions also turned out to be malicious based on malware checks. In fact, nine of them were reported to AbuseIPDB several times as shown below.

Reverse IP lookups for the seven IoCs and additional IP addresses showed that:

• None of the IP addresses identified as IoCs were currently in use.
• Four of the unreported IP resolutions were possibly dedicated, playing host to 422 domains in total.

NOBELIUM also reportedly targeted Microsoft’s cloud-based products. We sought to find if potential threat vectors, particularly domains and subdomains created this year, already exist in the DNS. We used these strings as Domains & Subdomains Discovery search terms based on a list of five of the company’s cloud services.

We found 236 domains and 341 subdomains containing the five strings listed above. Take a look at their volume breakdown below.

A bulk WHOIS lookup for the 236 string-connected domains showed that only three were Microsoft-owned. They had the same registrant organization as the company’s official domain microsoft[.]com. A bulk malware check, meanwhile, revealed that five of them have already been categorized as malicious and, as expected, none of them belong to Microsoft despite bearing its name. And one of the malicious domains was currently up for sale.

A bulk WHOIS lookup, meanwhile, for the 341 string-connected subdomains showed that only three belonged to Microsoft based on their registrant organization. A bulk malware check showed that five of them were already classified as malicious and none were owned by the company. Four of them remained accessible—two led to index pages while the other two led to error pages.

Our expansion analysis of the APT 29-NOBELIUM IoCs led to the discovery of 1,034 potentially connected artifacts that could figure in future attacks. At least 20 of them may have or are already being used as threat entry points to date. Preventing access to them would be a good idea.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.