Justice Department seizes domains used in USAID spear-phishing attacks

The APT29 hacking group is behind recent campaign

USAID flag flying over a blue sky

The US Department of Justice (DoJ)  has confiscated two command-and-control (C2) and malware distribution domains used in a recent spear-phishing activity that imitated email communications from the US Agency for International Development (USAID). Bad actors used the domains to spread malware and access internal networks.

Microsoft was among the first to alert the public of the attacks last week. The hacking gang Nobelium, a Russian state-sponsored cybercriminal group, reportedly carried out the attacks. The gang, also known as APT29, was behind the SolarWinds attacks, the SUNBURST backdoorTEARDROP malwareGoldMax malware, and others.

The two domains seized were theyardservice[.]com and worldhomeoutlet[.]com. The threat actors used these domains to grab data from phishing victims and send commands to malware on compromised devices.

The phishing campaign used Constant Contact's service to send malicious links obscured behind the mailing service's URL. The hackers targeted approximately 3,000 accounts across more than 150 organizations, including government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

ON May 25, hackers started a wide-scale spear-phishing campaign using a compromised USAID account. Victims who clicked the links in the email were prompted to download HTML attachments.

"Upon a recipient clicking on a spear-phishing email's hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim's network," the DoJ said in a statement.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

"The actors' instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court's seizure order."

Assistant Director in Charge of the FBI's Washington Field Office Steven D'Antuono said the court-authorized domain seizures reflect the FBI Washington Field Office's "continued commitment to cyber victims in our region".

"These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries," he added.

The DoJ said the National Security Division's Counterintelligence and Export Control Section and the United States Attorney's Office for the Eastern District of Virginia are continuing investigations with the FBI's Cyber Division and Washington Field Office.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
X-rated phishing attacks just keep growing
phishing

X-rated phishing attacks just keep growing

4 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021

Most Popular

Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
Fastly blames software bug for major outage
public cloud

Fastly blames software bug for major outage

9 Jun 2021
GitHub to prohibit code that’s used in active attacks
cyber security

GitHub to prohibit code that’s used in active attacks

7 Jun 2021