Justice Department seizes domains used in USAID spear-phishing attacks

The APT29 hacking group is behind recent campaign

USAID flag flying over a blue sky

The US Department of Justice (DoJ)  has confiscated two command-and-control (C2) and malware distribution domains used in a recent spear-phishing activity that imitated email communications from the US Agency for International Development (USAID). Bad actors used the domains to spread malware and access internal networks.

Microsoft was among the first to alert the public of the attacks last week. The hacking gang Nobelium, a Russian state-sponsored cybercriminal group, reportedly carried out the attacks. The gang, also known as APT29, was behind the SolarWinds attacks, the SUNBURST backdoorTEARDROP malwareGoldMax malware, and others.

The two domains seized were theyardservice[.]com and worldhomeoutlet[.]com. The threat actors used these domains to grab data from phishing victims and send commands to malware on compromised devices.

The phishing campaign used Constant Contact's service to send malicious links obscured behind the mailing service's URL. The hackers targeted approximately 3,000 accounts across more than 150 organizations, including government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

ON May 25, hackers started a wide-scale spear-phishing campaign using a compromised USAID account. Victims who clicked the links in the email were prompted to download HTML attachments.

"Upon a recipient clicking on a spear-phishing email's hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim's network," the DoJ said in a statement.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

"The actors' instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court's seizure order."

Assistant Director in Charge of the FBI's Washington Field Office Steven D'Antuono said the court-authorized domain seizures reflect the FBI Washington Field Office's "continued commitment to cyber victims in our region".

"These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries," he added.

The DoJ said the National Security Division's Counterintelligence and Export Control Section and the United States Attorney's Office for the Eastern District of Virginia are continuing investigations with the FBI's Cyber Division and Washington Field Office.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

What is a web filter?
cyber security

What is a web filter?

24 Sep 2021
100 million IoT devices affected by zero-day flaw
Internet of Things (IoT)

100 million IoT devices affected by zero-day flaw

24 Sep 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
HP Wolf Security: Threat insights report
Whitepaper

HP Wolf Security: Threat insights report

24 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021