APT29 accused of compromising USAID email account

Domain seizure blocks spear-phishing campaign linked to SolarWinds attackers

US authorities have seized two command and control hubs linked to a recent spate of spear-phishing emails that posed as messages from the Agency for International Development (USAID).

The court action and enforcement from the US Justice Department follows a warning by Microsoft of malicious activity by the so-called Nobelium Group – the same group of cyber-spies blamed for last year’s infamous SolarWinds hack.

RELATED Multiple new flaws uncovered in SolarWinds software just weeks after high-profile supply chain attack

Nobelium – tracked as APT29 and more commonly known as ‘Cozy Bear’ – is suspected to be a unity of Russian intelligence linked to its Foreign Intelligence Service (SVR) and associated with its Foreign Intelligence Service (FSB).

The web domain seizure enforcement action aims to clamp down on the group’s latest campaign.

Compromised account

On or around May 25, malicious parties abused a compromised USAID account at a legitimate mass mailing service to launch a spear-phishing campaign sent to “thousands of email accounts at over one hundred entities”.

These malicious messages purported to contain a “special alert” from USAID which was designed to trick prospective victims into clicking on a link and visiting a malicious site loaded with malware.

Catch up on the latest cyber-attack news

“The seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims,” according to a US Department of Justice statement on the case.

“However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.”

The attack was ultimately geared towards planting a backdoor on PCs and getting victims infected with the Cobalt Strike attack tool.

DEEP DIVE A guide to spear-phishing – how to protect against targeted attacks

As detailed in Microsoft’s blog post, the attack was under development for weeks prior to the mass mailing.

For example, in March, the attackers attempted to compromise systems through an HTML file attached to a spear-phishing email, as Microsoft explains:

When opened by the targeted user, a JavaScript within the HTML wrote an ISO file to disc and encouraged the target to open it, resulting in the ISO file being mounted much like an external or network drive.

From here, a shortcut file would execute an accompanying DLL, which would result in Cobalt Strike Beacon executing on the system.

The Cobalt Strike tool received command and control communications via subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com, the two seized domains.

RELATED Ransomware attack on world’s biggest meat supplier JBS ‘came from Russia’