FBI seizes domains linked to SolarWinds hack and USAID phishing attack

Cybercriminal group known as APT29 used impersonated USAID emails

Phishing emails linked to Russian hacker group impersonate USAID

The US Department of Justice (DoJ) and the Federal Bureau of Investigations (FBI) have taken down two domains – theyardservice.com and worldhomeoutlet.com, linked to USAID (the U.S. Agency for International Development) phishing attacks.^[1] They were used to receive victim data gained from the attacks and to deliver devastating malware to the infected devices.

The seized domains should provide law enforcement institutions with information on the magnitude of the incident and help to notify the affected people and organizations. According to reports, threat actors behind these phishing attacks have compromised the Constant Contact account of the USAID, which allowed them to impersonate the agency.

They've sent out around 3,000 emails to more than 150 various organizations, including government institutions, human rights agencies, etc. The USAID phishing emails were primarily targeting institutions in the US, but organizations in at least 24 more countries could have also been affected.

Phishing emails contained links to dangerous malware

The legitimate-looking emails were urging recipients to click on the provided link. If that's done, the soon to be victims would be asked to download an HTML document that contained four new malware strains:

• EnvyScout – used to extract the NTLM credentials of Windows accounts;
• BoomBox – malicious file downloader;
• NativeZone – malicious file loader;
• VaporRage – used to download shellcodes from a remote command and control server and execute them. This allows downloading additional malware of the cybercriminals' choice.

According to research, Cobalt Strike beacons were downloaded by the VaporRage malware. Those beacons enable the assailants behind the USAID phishing attacks to take over the control of the victim's device or even the whole network, also download additional malware. The Department of Justice stated:^[2]

Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network.

If Apple developed the victim's device in use, the downloaded malware would be a zero-day exploit that has since been patched up. Microsoft has claimed that their Windows Defender security tool is capable of identifying these infections and preventing them from doing their dirty deeds.

Russian-backed hackers linked to other recent attacks

Microsoft Threat Intelligence Center (MSTIC) has reported^[3] that a Russian hacker group Nobelium (also known as The Dukes, Cozy Bear, and APT29) is behind these cyberattacks. Russian Foreign Intelligence Service (SVR) is believed to be backing up this cybercriminal group.

Nobelium is believed to be responsible for the JBS FOODS ransomware attack that took place this weekend and crippled the IT and internet systems of the largest meat processor in the world. The ransom amount was not disclosed, but the attack resulted in a shutdown of facilities across Australia and Canada. According to the US government, the same group was to blame for the massive SolarWinds hack^[4] that has occurred last year.

DarkSide, another hacker organization that allegedly has associations with the Russian government, has claimed^[5] that they were responsible for the Colonial Pipeline hack that resulted in a gas shortage in the South-East region of the US. The Russian government denies all allegations and states that they have nothing to do with those cybercriminals groups.