US Seizes Attacker Domains Used in USAID Phishing Campaign
The United States has seized two command and control malware distribution domains that were utilized in a recently disclosed spearphishing campaign that impersonated email communications from the US Agency for International Development (USAID). The attack was disclosed by Microsoft and Volexity last week, and the operation has been attributed to a group referred to as Nobelium. Nobelium is a Russian-speaking group thought to be behind the SolarWinds supply chain attack and is recognized by a few different names. The group has been operating and evolving the email spearphishing campaign for several months, according to Microsoft.
The group has allegedly targeted 350 organizations across several different industries as part of the campaign, says the Cybersecurity and Infrastructure Security Agency, who released a statement on May 28. Attackers gained access to USAID’s account for Constant Contact, which is a legitimate platform used by the agency for email marketing. The access allowed the threat actors to send seemingly authentic emails from inside USAID. Victims who clicked on the links in malicious emails were prompted to download malware, according to the DoJ. After gaining this foothold, attackers deployed a Cobalt Strike tool that was used to remain persistent on the network and potentially deploy additional tools. The two domains were seized following a court order.