Justice Department seizes domains used in USAID spear-phishing attacks

The US Department of Justice (DoJ) has confiscated two command-and-control (C2) and malware distribution domains used in a recent spear-phishing activity that imitated email communications from the US Agency for International Development (USAID). Bad actors used the domains to spread malware and access internal networks.

Microsoft was among the first to alert the public of the attacks last week. The hacking gang Nobelium, a Russian state-sponsored cybercriminal group, reportedly carried out the attacks. The gang, also known as APT29, was behind the SolarWinds attacks, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and others.

The two domains seized were theyardservice[.]com and worldhomeoutlet[.]com. The threat actors used these domains to grab data from phishing victims and send commands to malware on compromised devices.

The phishing campaign used Constant Contact's service to send malicious links obscured behind the mailing service's URL. The hackers targeted approximately 3,000 accounts across more than 150 organizations, including government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.

ON May 25, hackers started a wide-scale spear-phishing campaign using a compromised USAID account. Victims who clicked the links in the email were prompted to download HTML attachments.

"Upon a recipient clicking on a spear-phishing email's hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim's network," the DoJ said in a statement.

"The actors' instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court's seizure order."

Assistant Director in Charge of the FBI's Washington Field Office Steven D'Antuono said the court-authorized domain seizures reflect the FBI Washington Field Office's "continued commitment to cyber victims in our region".

"These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries," he added.

The DoJ said the National Security Division's Counterintelligence and Export Control Section and the United States Attorney's Office for the Eastern District of Virginia are continuing investigations with the FBI's Cyber Division and Washington Field Office.