The US Justice Department has seized two domains that were used in the Nobelium’s phishing campaign against USAID identified by Microsoft last week.
Nobelium, which is believed to be behind the SolarWinds attack, was able to create a mass email campaign using USAID’s account. The attack is largely attributed to Russia’s Foreign Intelligence Service and have targeted various political organizations in Europe.
The US Department of Justice on Tuesday said it had seized two domains to disrupt the activities of malicious actors and prevent further exploitation of victims because:
“The actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures,” the government statement said.
Bryan Vorndran, assistant Director of the FBI’s Cyber Division, noted that the FBI would work with various partners to disrupt cyber attacks against US agencies.
“We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats,” Vorndran said.
The emails contained a link that downloaded malware from thee two seized domains, which the Justice Department said could have been used to launch an attack:
“The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order,” the statement said.
John Bambenek, a security expert with Netenrich, said that the Justice Department’s actions were unusual and showed how the agency can use the legal process to quickly seize domains and protect the country’s interests.
“If governments can start doing this quickly, not just on APT threats but conventional cybercrime, we can have a greater disruptive effect on cybercrime,” Bambenek said.
Schless said that by seizing the servers used in phishing campaigns, investigators can gather important details about the individuals or groups behind the campaigns. He noted that the seizure of these servers helps prevent future attacks.
“Most threat actors likely have backups of their malicious campaigns and can spin out new versions of the same activity on different domains and servers. However, reusing the same campaign means that it will likely possess identifiable heuristics or characteristics in the future,” Schless explained to ZDNet.
By amassing a large amount of threat intelligence, organizations can improve their ability to identify and prosecute hackers.
“Since attackers often reuse bits and pieces of previous malware or even naming tactics in their campaigns, a large enough dataset will be able to identify and protect against both known and unknown threats before they reach any sort of sizable scale,” he told.