Days after Microsoft, Secureworks, and Volexity shed light on a new spear-phishing activity unleashed by the Russian hackers who breached SolarWinds IT management software, the U.S. Department of Justice (DoJ) Tuesday said it intervened to take control of two command-and-control (C2) and malware distribution domains used in the campaign.
The department, however, cautioned that the adversary might have deployed additional backdoor accesses in the interim period between when the initial compromises occurred, and the seizures took place last week.
The court-authorized domain seizure took place on May 28, the DoJ said, adding the action was aimed at disrupting the threat actors’ follow-on exploitation of victims as well as block their ability to compromise new systems.
password auditor
“[The] action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” said Assistant Attorney General John C. Demers for the Justice Department’s National Security Division.
The two domains in question — theyardservice[.]com and worldhomeoutlet[.]com — were used to communicate and control a Cobalt Strike beacon called NativeZone that the actors implanted on the victim networks. The wide-scale campaign, which was detected on May 25, leveraged a compromised USAID account at a mass email marketing company called Constant Contact to send phishing emails to approximately 3,000 email accounts at more than 150 different organizations.
“Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats.”
News Summary:
- US seizes domain names used by SolarWinds hackers in cyber espionage attacks
- Check all news and articles from the latest Security news updates.
Disclaimer: If you need to update/edit/remove this news or article then please contact our support team.