Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
DOJ Seizes 2 Domains Linked to USAID Phishing CampaignFBI and CISA Continue to Probe Campaign That Targeted Marketing Firm
The Department of Justice announced Tuesday that it has seized two domains that were used during a recent phishing campaign that targeted a marketing firm used by the U.S. Agency for International Development - USAID - to send malicious messages to thousands of potential victims.
On Friday, federal prosecutors obtained a court order that allowed the Justice Department to seize two domains - theyardservice[dot]com and worldhomeoutlet[dot]com - which were used by the attacker for command-and-control infrastructure as well as distribution of malware, including a customized Cobalt Strike beacon that could be used as a backdoor, according to Tuesday's announcement.
See Also: OnDemand | Securing Business Growth: The Road to 24/7 Threat Detection and Response
"Last week's action is a continued demonstration of the department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation," says Assistant Attorney General John C. Demers of the Justice Department's National Security Division.
The seizure of the domains by federal authorities follows an alert and research report released by Microsoft on Thursday that described what the company called a Russian spear-phishing campaign that targeted the marketing firm Constant Contact used by USAID (see: SolarWinds Attackers Return With Fresh Phishing Campaign).
Microsoft says the group behind the phishing attack, which it calls Nobelium, is the same organization that conducted the SolarWinds supply chain attack, which affected 18,000 users of the Orion network monitoring platform and led to follow-on attacks on 100 companies and nine federal agencies. The Biden administration has accused Russia's Foreign Intelligence Service, or SVR, of conducting the SolarWinds supply chain attack.
Microsoft published an updated report Sunday that noted the company has not seen a "significant" number of organizations compromised as a result of the phishing campaign.
"As we have notified our targeted customers and watched closely for other reports, we are still not seeing evidence of any significant number of compromised organizations at this time," says Tom Burt, corporate vice president for customer security and trust at Microsoft, in an update posted Friday. "We will continue to monitor the situation, but so far this is good news."
Chris Pierson, CEO and founder of the security firm BlackCloak, notes that this latest incident continues a pattern of attackers targeting trusted third parties as a way to maximize a campaign.
"When we review the past 24 months of nation-state attacks, we see an increasing trend to attack trusted providers, third party solutions, or integrators as weak points," Pierson says. "Assurance reviews can only go so far in determining the risks. Companies really need to assume their providers will be targeted and find ways to wall off further access or impact for critical systems."
CISA and FBI Probe
The FBI and the Cybersecurity and Infrastructure Security Agency, which are continuing an investigation of the spear-phishing campaign, say in a new alert that the attackers who waged the campaign used a compromised end-user account belonging to Constant Contact, the marketing firm used by USAID, to send malicious messages to more than 7,000 inboxes belonging to 350 government organizations, intergovernmental organizations and nongovernmental organizations.
Most of the spear-phishing emails were sent to organizations in the U.S., although Microsoft and other security firms have seen these messages appear in other countries, including some in Europe.
The FBI, Justice Department and CISA have not attributed the latest phishing campaign to a specific group or nation-state. And they have not determined "that any individual accounts have been specifically targeted by this campaign," according to their latest alert.
Microsoft researchers say once the attackers compromised the Constant Contact account, they sent out phishing emails designed to look as if they had originated with USAID and containing subject lines designed to get users to click a link or open an attached file. In one case, a malicious email contained a message called "Donald Trump has published new documents on election fraud."
The FBI and CISA say that some of the phishing emails contained a benign decoy document that looked like a PDF version of the declassified Intelligence Community Assessment report that was published by the Office of the Director of National Intelligence in March.
That document is designed to entice the recipient to click on another malicious link embedded in the email, according to security firm Volexity, which is also tracking this phishing campaign.
The malicious links within the phishing emails deployed during this campaign were designed to eventually redirect the user to a landing page that is controlled by the attackers so that a malicious ISO file would be installed on the victim's device, according to Microsoft researchers. That file would install a Dynamic Link Library that contains a customized Cobalt Strike Beacon loader, which Microsoft calls "NativeZone."
"The successful execution of these malicious payloads could enable Nobelium to conduct action-on objectives, such as lateral movement, data exfiltration and delivery of additional malware," Microsoft says. Most of the messages apparently were blocked by security tools, the company says.
When the Justice Department announced the seizure of the two domains Tuesday, prosecutors noted that these two sites helped serve the NativeZone backdoor.
"Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim's network," according to the Justice Department. "The actors' instance of the Cobalt Strike tool received [command-and-control] communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com."
In its updated analysis published Friday, Microsoft researchers also found the attackers used other new malware besides NativeZone.
This includes "BoomBox," which acts as a downloader and can install and execute other components on a compromised device usually from a Dropbox account. Another malware variant called "EnvyScout" that was used in the campaign acts as a dropper that can de-obfuscate and write a malicious ISO file to disk, according to Microsoft.
Microsoft also found that the campaign used a shellcode loader that researchers call "VaporRage," which can download, decode and execute an arbitrary payload fully in memory on a compromised device.
Calls for Action
Rep. Jim Langevin, D-R.I, the chair of the House Armed Services Committee’s Cybersecurity Subcommittee, says that the latest phishing campaign - along with concerns about whether Russia was allowing the DarkSide ransomware gang that targeted Colonial Pipeline Co. to operate freely within its borders - raises the question of whether Russia should be sanctioned yet again.
"I hope the Biden administration will strongly consider all available options - including increased sanctions - to hold Russia accountable for allowing cybercriminals to run amok, as demonstrated by the Colonial [Pipeline] ransomware incident," Langevin says. "The administration must also consider the totality of Russia's cyber campaigns as it determines our response to the latest spate of phishing."
Rep. John Katko, R-N.Y., the ranking member of the House Homeland Security Committee, offered similar comments.
"Deterrence actions send the message that the U.S. will not tolerate any attempts to compromise our sensitive information and way of life," Katko says. "As I've said before, earlier sanctions were a necessary first step, but we must continue the full-court press. That reality is now more evident than ever before - after repeated attacks on U.S. cyber infrastructure, we must take a stronger stance and hold Russia accountable."
In April, the Biden administration issued sanctions against the SVR as well as Russian companies and individuals that the U.S. government says played a role in the SolarWinds attack or conducted interference during the 2020 election (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).