Internet Domains Used by APT29 in Phishing Attacks Seized by the US
Two Internet Domains Used by Nobelium in Recent USAID Phishing Attacks Were Seized by the US Department of Justice.
The Internet domains were used in impersonating the U.S. Agency for International Development (USAID) for the distribution of malware in phishing attacks in order for the attackers to gain access to internal networks.
The domains seized are theyardservice[.]com and worldhomeoutlet[.]com. The domains were used to receive the data that was exfiltrated from victims of the targeted phishing attacks and to send further commands malware in an attempt to execute on infected machines.
Microsoft has disclosed the attacks recently and declared they were conducted by a Russian state-affiliated hacking group known as NOBELIUM (APT29, Cozy Bear, and The Dukes), with the group supposedly being affiliated with the Russian Foreign Intelligence Service (SVR).
NOBELIUM compromised a Contact Contact account using email campaigns, therefore managing to impersonate USAID in phishing emails that were sent to approximately 3,000 email accounts at more than 150 different organizations, including government agencies and human rights organizations.
Nobelium is an actor that operates with rapid operational tempo, often leveraging temporary infrastructure, payloads, and methods to obfuscate their activities.
Such design and deployment patterns, which also include the staging of payloads on a compromised website, hamper traditional artifacts and forensic investigations, allowing for unique payloads to remain undiscovered.
The targeted recipients who received the emails and accessed the enclosed links got prompted to download some HTML attachments that would install four new malware created by the threat actors.
The malware was meant to eventually help in installing remote access software, like Cobalt Strike beacons, and provide full access to victims’ computers, and ultimately the network.
Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network.
The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order.
The operation was conducted by the FBI Washington Field Office and it will allow law enforcement to gain a better understanding of who was breached during this attack and notify victims.
CISA and the FBI believe that approximately 350 organizations were affected by the attack.
At this point, CISA has not identified significant impact on Federal government agencies resulting from these activities,” the joint statement says. “CISA continues to work with the FBI to understand the scope of these activities and assist potentially impacted entities.
Alongside the joint statement released, the FBI and CISA released a joint activity alert containing information regarding the type of attack and the mitigation efforts that were made, with having multi-factor authentication on every account being at the top of the list.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;