US authorities seized domains used by hacker group APT29

Microsoft experts said last week that the Russian hacker group APT29 (aka Cozy Bear, Dukes, Nobelium), standing behind the attack on SolarWinds, attacked the US Agency for International Development using four new malware families in the campaign.

The hackers compromised the agency’s Contact Contact account and then used that account to impersonate agents in phishing emails that appeared to be authentic.

In total, the attackers sent phishing messages to approximately 3,000 accounts in more than 150 organizations, including government agencies and organizations involved in international development, humanitarian and human rights activities.

The FBI and the Justice Department are now reporting that they managed to hijack two domains that the hack group used during these attacks.

After the recipient of the phishing email clicked on the hyperlink, the victim’s computer downloaded malware from the theyardservice[.]com subdomain. Using this foothold, the criminals downloaded the Cobalt Strike tool to maintain a constant presence on the system, and also likely installed additional tools and malware on the victims’ network. The Cobalt Strike installation communicated with the C&C server through other subdomains theyardservice[.]com, as well as the worldhomeoutlet[.]com domainwrite the specialists of the Ministry of Justice.

After receiving a court order, the authorities seized these two domains in order to block attackers from infecting new systems and interacting with previously infected hosts.

However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and the attack last week.

The FBI remains committed to disrupting this type of malicious cyber activity targeting our federal agencies and the American public. We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.

Let me remind you that we wrote that Chinese hackers also took part in attacks on SolarWinds clients.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button