The day after Microsoft and Volexity exposed a spear-phishing campaign by actors suspected to be connected to Russia’s Foreign Intelligence Service, the Department of Justice seized two domains used by the attackers for command-and-control with compromised machines.
The seizure is designed to disrupt the communications between the attackers and the computers of anyone who opened the phishing emails and eventually had the malicious payload installed. The infection chain involved in the campaign is complex and involved several separate stages, but the final payload in many cases is a Cobalt Strike Beacon. The domains that the Department of Justice seized were used for C2 communications with the Cobalt Strike Beacons. The campaign that Microsoft and Voilexity investigated involved the actors gained access to a legitimate email marketing account used by the United States Agency for International Development and then sending phishing emails from the account to a select group of potential victims. The emails looked quite authentic and didn’t bear any of the hallmarks of phishing messages, such as grammatical or spelling errors.
“Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network,” the Department of Justice announcement says.
“The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order.”
“As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public."
Microsoft attributed the campaign to a group it calls Nobelium, which is the same set of actors blamed for the SolarWinds intrusion late last year. The group is aligned with the Russian SVR and is also known as the Dukes and APT29. Volexity did not directly attribute the attack to any actor, but identified some similarities in the infrastructure and techniques between this campaign and known APT29 campaigns. However, other elements of the campaign are unique and bear no resemblance to earlier operations by APT29 or other Russian actors.
“After the extensive revelations of Russian state-sponsored cyberespionage activities over the past five years, teams like APT28 (aka FancyBear, STRONTIUM) and APT29 (aka CozyBear, The Dukes) have retooled and reorganized extensively to avoid easy tracking by Western governments and security vendors alike. The operations of ‘APT29’ no longer look anything like they did in the past half decade. At this point our preconceptions about these groups are doing more to cloud our judgment than they elucidate,” said Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne, who has been tracking APT actors for many years.
The spear-phishing campaign carried out by Nobelium began in January and included a few different evolutions, with most recent one using the compromised USAID email account and targeting government agencies and various non-profits.
“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia.
“As demonstrated by the court-authorized seizure of these malicious domains, we are committed to using all available tools to protect the public and our government from these worldwide hacking threats.”