Researchers have observed the Nobelium group setting up new infrastructure to perform attacks with old techniques. The group is based in Russia and was behind the infamous SolarWinds attack.

The new infrastructure

Recorded Future published a report describing how the group has evolved to avoid detection. 
  • The new infrastructure, tracked as SOLARDEFLECTION and LUNARREFLECTION, includes several new domains registered by the group.
  • The hackers registered more than four dozen domains, some of which try to imitate real brands across various industries. These are misspelled versions of real brand domains used to fool targets, a tactic known as typosquatting.
  • The industries emulated within SOLARDEFLECTION typosquat include retail, finance, business development, news/media, and web hosting.
  • The typosquatted domains grouped under LUNARREFLECTION include marketing, healthcare, transportation, retail, media, news, food, and beverages.

More Info

By posing as legitimate-looking entities, victims are tricked into clicking on links used for credential theft and other scams. 
  • Cobalt Strike servers related to SOLARDEFLECTION monitoring were previously linked to Nobelium activity using modified server configurations for the reason of staying undetected.
  • Nobelium has mostly used typosquat domains in SSL certificates and is believed to continue using deceptive techniques, such as typosquat redirection while using Cobalt Strike.


Experts are expecting a continuation of cyber operations being launched by Russia-based groups, such as Nobelium. Thus, organizations are recommended to use IPS/IDS systems, network defense mechanisms, and threat intelligence to counter domain abuse.

Cyware Publisher