Feds seize two domains used by SolarWinds intruders for malware spear-phishing op
Info-stealing scheme, attributed to Russia-affiliated crew, relied on spoof USAID marketing messages
Uncle Sam on Tuesday said it had seized two web domains used to foist malware on victims using spoofed emails from the US Agency for International Development (USAID).
The domain takeovers, which occurred on Friday, followed a court order issued in the wake of a Microsoft report warning about the spear-phishing campaign. The phishing effort relied on malware-laden messages sent via marketing service Constant Contact.
"Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting US Attorney Raj Parekh for the Eastern District of Virginia, in a statement.
"As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats."
On or about May 25, 2021, the US Justice Department said, threat actors launched a spear-phishing campaign using a compromised Constant Contact email account. The malicious messages, masquerading as legitimate emails from USAID, went out to thousands of email accounts at over a hundred different organizations.
- Russian gang behind SolarWinds hack returns with phishing attack disguised as mail from US aid agency
- Have I Been Pwned goes open source, bags help from FBI
- What happens when a security hole is fixed in WebKit's source but not released as a patch by Apple? Let's find out
- Apple patches macOS flaw exploited by malware to secretly snap screenshots
"Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice.com," the Justice Department said. "Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network."
The Cobalt Strike malware received communications from other subdomains of theyardservice.com and of worldhomeoutlet.com. Those were the two internet domains seized.
Microsoft attributed the attack to the Russia-aligned Nobelium/CozyBear/APT 29 group that's also blamed for the cyberattack on SolarWinds.
Sergei Naryshkin, director of Russia's SVR spy agency, recently denied Russia's involvement in the SolarWinds supply chain attack and blamed the US and UK.
The US, perhaps because President Biden is preparing to meet with Russian president Vladimir Putin on June, 16, 2021 in Geneva, Switzerland, did not mention Russia or any suspected threat actor in its statement about the domain takedowns. It omitted any attribution claim.
When Principal Deputy Press Secretary Karine Jean-Pierre was asked on Friday "how the latest reported hack that’s attributed to Russia" might impact the upcoming summit, Jean-Pierre also made no mention of Russia and referred questions to USAID or CISA.
On Tuesday, after meat processor JSB Foods told US authorities it had been hit with a ransomware attack, likely from Russia, Jean-Pierre said, "The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals."
Earlier this month, Colonial Pipeline shut down temporarily to deal with a ransomware attack attributed to the DarkSide group, believed to operate out of Eastern Europe or Russia.
The Russian government has denied any involvement in that attack too. ®