Pulse Detail — Threat Intelligence

PULSE NAME

Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns

WHITE APT29 AlienVault 2021-05-27 Modified: 2021-07-02

226

IOCs

HIGH VOLUME

Volexity, a security firm, has identified and identified a phishing campaign targeting government agencies across the United States and Europe that is believed to be related to APT29.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1566 T1070 T1573 T1610 T1071.001 T1204.001 T1204 T1105 T1055.001 T1566.002

MALWARE FAMILIES

CobaltStrike FreshFire

Indicators of Compromise (5 / 226 total)

All hostname FileHash-MD5 FileHash-SHA256 FileHash-SHA1 domain URL YARA

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	https://cdn.theyardservice.com/jquery-3.3.1.min.woff2	—	2021-05-27
URL	https://dataplane.theyardservice.com/jquery-3.3.1.min.woff2	—	2021-05-27
URL	https://static.theyardservice.com/jquery-3.3.1.min.woff2	—	2021-05-27
URL	https://worldhomeoutlet.com/jquery-3.3.1.min.woff2	—	2021-05-27
URL	https://usaid.theyardservice.com/d/	94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916	2021-06-02

References (5)

↗ https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ ↗ https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ ↗ https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a ↗ https://us-cert.cisa.gov/ncas/alerts/aa21-148a ↗ https://github.com/microsoft/mstic/blob/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv