Justice Department seizes domains used in Nobelium-USAID phishing campaign

Two command-and-control and malware distribution domains connected to the USAID attack were taken over by federal officials.
Written by Jonathan Greig, Contributor

The US Justice Department announced on Tuesday that it has seized two command-and-control and malware distribution domains that were used as part of a recent phishing attack identified by Microsoft last week

Nobelium, a group Microsoft and CISA believe was behind the massive SolarWinds attack, was found operating a widespread malicious email campaign that used the account of the US Agency for International Development (USAID) on mass-mailing service Constant Contact to send infected emails to thousands of recipients.  

Both Microsoft and CISA released alerts about the attack and the Washington Post as well as the New York Times reported that few, if any, of the malicious emails were opened.

But the Justice Department said on Tuesday that its seizure of the two domains "was aimed at disrupting the malicious actors' follow-on exploitation of victims, as well as identifying compromised victims." 

"The actors may have deployed additional backdoor accesses between the time of the initial compromises and last week's seizures," the government statement said. 

The initial attack was believed to have originated from the Russian Foreign Intelligence Service and targeted governmental as well as non-profit organizations focused on European politics. Acting US Attorney Raj Parekh said the spear-phishing attack could have caused "widespread damage throughout affected computer networks and can result in significant harm to unsuspecting individual victims, government agencies, NGOs, and private businesses."

Bryan Vorndran, assistant Director of the FBI's Cyber Division, added that they were committed to working with domestic and international partners to disrupt attacks directed toward government agencies.

"We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats," Vorndran said. 

More than 3,000 people were targeted using the compromised USAID account and the emails sent included "special alerts" and other efforts to get people to open them or download what was inside. 

Some of those targeted in the attacks have been critical of the Russian government while others are involved in international development, humanitarian and human rights work across Europe and the United States. 

The emails had a hyperlink that downloaded malware from a sub-domain of theyardservice[.]com, and from there the people behind the attack could download "the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim's network," according to the Justice Department. 

"The actors' instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court's seizure order," the statement said. 

Cybersecurity experts like Netenrich threat intelligence advisor John Bambenek said that what is novel about the Justice Department's actions was that they used the legal process to relatively quickly seize domains and protect its own interests in a straightforward way. 

"If governments can start doing this quickly, not just on APT threats but conventional cybercrime, we can have a greater disruptive effect on cybercrime," Bambenek said. 

Hank Schless, senior manager of security solutions at Lookout, said that by seizing domains and command and control servers used in phishing campaigns, researchers can be given leads as to who is running the campaign and where else they might be carrying out nefarious activity. 

"Most threat actors likely have backups of their malicious campaigns and can spin out new versions of the same activity on different domains and servers. However, reusing the same campaign means that it will likely possess identifiable heuristics or characteristics in the future," Schless explained to ZDNet.  

He noted that the seizure of recently used domains and command and control servers helps enable proactive threat research and helps to mitigate the risk of similar attacks happening in the future. 

By amassing a sizable batch of threat intelligence, datasets can grow and more threats can be identified, allowing for the creation of machine learning tools that help enable automatic discovery and conviction of malicious phishing campaigns and actors, Schless said. 

"Since attackers often reuse bits and pieces of previous malware or even naming tactics in their campaigns, a large enough dataset will be able to identify and protect against both known and unknown threats before they reach any sort of sizable scale," he told ZDNet.

"It's encouraging to see the Justice Department take steps that could deter threat actors from targeting US Federal agencies in particular."

Editorial standards