October 27, 2023

How to detect network IoCs (URLs, Domains and IPs) in context of SNOWYAMBER, HALFRIG and QUARTERRIG in Sycope NSM?

SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian secret services.

SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian Federal Security Services.

SKW and CSIRT NASK observed a wide-ranging espionage campaign related to Russian Federal Security Services and prepared the IoC how malicious activity can be detected. (More information in here: https://www.gov.pl/web/baza-wiedzy/kampania-szpiegowska-wiazana-z-rosyjskimi-sluzbami)

As we read in the information published:

There is significant overlap between various aspects of the current campaign, such as its infrastructure, techniques, and tools, with those described in previous campaigns referred to as "NOBELIUM" by Microsoft and "APT29" by Mandiant. The actor behind this campaign has been linked to other campaigns, including "SOLARWINDS," as well as tools such as "SUNBURST," "ENVYSCOUT," and "BOOMBOX," among others, all of which have intelligence-gathering purposes.
What sets this campaign apart from previous ones is the use of software that has not been publicly described before. Additionally, new tools were utilized alongside or instead of those that had become less effective, allowing the actor to maintain continuity of operations.

In Sycope NSM you can use below search to detect artifacts regarding malicious URLs, Domains and IP addresses.

lookupKeyExists("MalciousUrls", {"Url": httpUrl}) or lookupKeyExists("MaliciousDomains", {"Domain": httpHost}) or lookupKeyExists("MalciousIPs", {"Ip": clientIp}) or lookupKeyExists("MalciousIPs", {"Ip": serverIp})

arrow_forward
Sycope Resources

Explore more

New release [Sycope 3.0]

New release [Sycope 3.0]

Sycope announces the latest release of its network traffic and security monitoring software is first and foremost a huge number of new built

Learn more
Leveraging the nTop nDPI for Application Visibility within Sycope/nProbe integration

Leveraging the nTop nDPI for Application Visibility within Sycope/nProbe integration

Gaining insight into Layer 7 application is one of the crucial advantages for network monitoring in areas of performance and security.

Learn more
Multitenancy in Sycope

Multitenancy in Sycope

Single Master Console instance dedicated for Service Providers to remotely manage local clients’ instances (tenants)

Learn more

Get a monthly dose of blog posts, tips and tricks

Sign-up for the newsletter and be updated about Sycope.

Sign-up for the newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept