IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Justice Department seizes domains used in USAID spear-phishing attacks

The APT29 hacking group is behind recent campaign

USAID flag flying over a blue sky

The US Department of Justice (DoJ)  has confiscated two command-and-control (C2) and malware distribution domains used in a recent spear-phishing activity that imitated email communications from the US Agency for International Development (USAID). Bad actors used the domains to spread malware and access internal networks.

Microsoft was among the first to alert the public of the attacks last week. The hacking gang Nobelium, a Russian state-sponsored cybercriminal group, reportedly carried out the attacks. The gang, also known as APT29, was behind the SolarWinds attacks, the SUNBURST backdoorTEARDROP malwareGoldMax malware, and others.

The two domains seized were theyardservice[.]com and worldhomeoutlet[.]com. The threat actors used these domains to grab data from phishing victims and send commands to malware on compromised devices.

The phishing campaign used Constant Contact's service to send malicious links obscured behind the mailing service's URL. The hackers targeted approximately 3,000 accounts across more than 150 organizations, including government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

ON May 25, hackers started a wide-scale spear-phishing campaign using a compromised USAID account. Victims who clicked the links in the email were prompted to download HTML attachments.

"Upon a recipient clicking on a spear-phishing email's hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim's network," the DoJ said in a statement.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

"The actors' instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court's seizure order."

Assistant Director in Charge of the FBI's Washington Field Office Steven D'Antuono said the court-authorized domain seizures reflect the FBI Washington Field Office's "continued commitment to cyber victims in our region".

"These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries," he added.

The DoJ said the National Security Division's Counterintelligence and Export Control Section and the United States Attorney's Office for the Eastern District of Virginia are continuing investigations with the FBI's Cyber Division and Washington Field Office.

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

FCC commissioner urges Apple and Google to remove TikTok from app stores
data protection

FCC commissioner urges Apple and Google to remove TikTok from app stores

29 Jun 2022
NOAA unveils two new supercomputers in effort to better predict extreme weather
high-performance computing (HPC)

NOAA unveils two new supercomputers in effort to better predict extreme weather

29 Jun 2022
Google aims to court US public sector with new division
public sector

Google aims to court US public sector with new division

29 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022
Why India wants to become a chipmaking powerhouse
components

Why India wants to become a chipmaking powerhouse

28 Jun 2022