APT29 accused of compromising USAID email account
US authorities have seized two command and control hubs linked to a recent spate of spear-phishing emails that posed as messages from the Agency for International Development (USAID).
The court action and enforcement from the US Justice Department follows a warning by Microsoft of malicious activity by the so-called Nobelium Group – the same group of cyber-spies blamed for last year’s infamous SolarWinds hack.
Nobelium – tracked as APT29 and more commonly known as ‘Cozy Bear’ – is suspected to be a unity of Russian intelligence linked to its Foreign Intelligence Service (SVR) and associated with its Foreign Intelligence Service (FSB).
The web domain seizure enforcement action aims to clamp down on the group’s latest campaign.
On or around May 25, malicious parties abused a compromised USAID account at a legitimate mass mailing service to launch a spear-phishing campaign sent to “thousands of email accounts at over one hundred entities”.
These malicious messages purported to contain a “special alert” from USAID which was designed to trick prospective victims into clicking on a link and visiting a malicious site loaded with malware.
“The seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims,” according to a US Department of Justice statement on the case.
“However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.”
The attack was ultimately geared towards planting a backdoor on PCs and getting victims infected with the Cobalt Strike attack tool.
As detailed in Microsoft’s blog post, the attack was under development for weeks prior to the mass mailing.
For example, in March, the attackers attempted to compromise systems through an HTML file attached to a spear-phishing email, as Microsoft explains:
From here, a shortcut file would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system.
The Cobalt Strike tool received command and control communications via subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com, the two seized domains.