US seizes 2 domains used by APT29 in a recent phishing campaign

Pierluigi Paganini June 02, 2021

The US DoJ seized two domains used by APT29 group in recent attacks impersonating the U.S. USAID to spread malware.

The US Department of Justice (DoJ) and the Federal Bureau of Investigation have seized two domains used by the Russia-linked APT29 group in spear-phishing attacks that targeted government agencies, think tanks, consultants, and NGOs.

Russia-linked SVR group (aka APT29Cozy Bear, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks.

The two domains seized by the US authorities are theyardservice[.]com and worldhomeoutlet[.]com, the were employed used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware.

“On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID).” reported the DoJ. “This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.”

“These actions demonstrate our ability to quickly respond to malicious cyber activities by leveraging our unique authorities to disrupt our cyber adversaries.” said Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office.

The domains were used as part of the command and control infrastructure used by the cyberspies.

APT29 is also suspected to be behind the SolarWinds supply chain attack, the group allegedly compromised an account on the email marketing platform Constant Contact that belonged to US agency USAID.

The nation-state hackers used the account to send out 3,000 phishing messages to more than 150 organizations across 24 countries.

Upon a recipient clicking on a link included in the messages, the victim was directed to download malware from a sub-domain of theyardservice[.]com. Once gained an initial foothold, the attackers then downloaded the Cobalt Strike tool to achieve in the target system and deploy additional tools or malicious payloads.

“The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order.” continues the DoJ.

“The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

“We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT29)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment