US Seizes Domains Used by SolarWinds Hackers in Cyber Espionage Attacks
Days after Microsoft, Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice (DoJ) Tuesday said it intervened to take control of two command-and-control (C2) and malware distribution domains used in the campaign.
The court-authorized domain seizure 1m took place on May 28,
the DoJ said, adding the action was aimed at disrupting the threat actors'
follow-on exploitation of victims as well as block their ability to compromise
new systems. The department, however, cautioned that the adversary might have
deployed additional backdoor accesses in the interim period between when the
initial compromises occurred, and the seizures took place last week.
"[The] action is a continued demonstration of the
Department's commitment to proactively disrupt hacking activity prior to the
conclusion of a criminal investigation," said Assistant Attorney General
John C. Demers for the Justice Department's National Security Division.
"Law enforcement remains an integral part of the U.S. government's broader
disruption efforts against malicious cyber-enabled activities, even prior to
arrest, and we will continue to evaluate all possible opportunities to use our
unique authorities to act against such threats."
The two domains in question — theyardservice[.]com and
worldhomeoutlet[.]com — were used to communicate and control a Cobalt Strike
beacon called NativeZone that the actors implanted on the victim networks. The
wide-scale campaign, which was detected on May 25, leveraged a compromised
USAID account at a mass email marketing company called Constant Contact to send
phishing emails to approximately 3,000 email accounts at more than 150
different organizations.
Once the recipients clicked on the embedded link in the
email message, a sub-domain of theyardservice[.]com was used to gain an initial
foothold into the victim machine, exploiting it to retrieve the Cobalt Strike
backdoor to maintain persistent presence and potentially deliver additional
payloads. "The actors' instance of the Cobalt Strike tool received C2
communications via other subdomains of theyardservice[.]com, as well as the
domain worldhomeoutlet[.]com," the DoJ said.
Microsoft attributed the ongoing intrusions to the Russian
threat actor it tracks as Nobelium, and by the wider cybersecurity community
under the monikers APT29, UNC2452 (FireEye), SolarStorm (Unit 42),
StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual
(Secureworks).
Comments
Post a Comment