The US Justice Department seized two command-and-control (C2) and malware distribution domains involved in the recent phishing campaign that was disguised as email communications from the U.S. Agency for International Development (USAID).
“The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures,” the DoJ said in a press release.
The Justice Department said that it seized the domains on May 28 after winning a court order to do so.
The phishing campaign was first reported by Microsoft last week. The company said it detected a massive malicious campaign that targeted over 150 organizations across at least 24 countries. The attacks targeted around 3,000 email accounts at more than 150 different organizations, including government agencies, think tanks, consultants, and non-governmental organizations.
The threat actor behind this campaign is believed to be Nobelium (aka Cozy Bear, APT29, or The Dukes), the same group that allegedly was responsible for last year’s SolarWinds hack.
The attackers compromised the Constant Contact account of the USAID, used it to distribute legitimate-looking phishing emails that contained a link, which, when clicked, inserted a malicious file that planted a backdoor dubbed NativeZone onto a victim’s system.
In a security advisory the FBI and Cybersecurity and Infrastructure Security Agency (CISA) said the attackers sent phishing emails to more than 7,000 accounts across approximately 350 government organizations, IGOs, and NGOs.