The US DoJ & FBI have seized two domains theyardservice[.]com and worldhomeoutlet[.]com used by the Russia-linked APT29 group in spear-phishing attacks that targeted government agencies, think tanks, consultants, and NGOs.
Russia-linked SVR group (aka APT29, Cozy Bear, and The Dukes) along with APT28 cyber espionage group was involved in the recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks.
APT29 is also suspected to be behind the SolarWinds supply chain attack, the group allegedly compromised an account on the email marketing platform Constant Contact that belonged to US agency USAID and sent out 3,000 phishing messages to more than 150 organizations across 24 countries.
Upon a recipient clicking on a link included in the messages, the victim was directed to download malware from a sub-domain of theyardservice[.]com. Once gained an initial foothold, the attackers then downloaded the Cobalt Strike tool to achieve in the target system and deploy additional tools or malicious payloads.
“The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com.
“We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats.” states FBI