The U.S. Justice Department has announced the seizure of domains used in Nobelium spear-phishing attacks previously identified by Microsoft last week.
After court orders were issued in the Eastern District of Virginia on May 28, the Justice Department seized two command-and-control (C2) and malware distribution domains used in spear-phishing campaign posing as U.S. Agency for International Development (USAID).
“The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures,” the Justice Department said in a press release.
“Cyber intrusions and spear-phishing email attacks can cause widespread damage throughout affected computer networks, and can result in significant harm to individual victims, government agencies, NGOs, and private businesses,” said Acting U.S. Attorney Raj Parekh for the Eastern District of Virginia.
Last week, the Microsoft Threat Intelligence Center (MSTIC) had uncovered a “sophisticated email-based attack” operated by Nobelium, as part of a wide-scale malicious email campaign.
The threat actor was also allegedly behind recent cyberattacks against SolarWinds, SUNBURST backdoor and others. Microsoft tracked the campaign since January of 2021 and had seen the threat evolve into a “series of waves demonstrating significant experimentation.”
According to the Microsoft report and Justice Department statement, malicious actors abused an email marketing company and compromised USAID account to send spear-phishing emails. The emails were purportedly coming from USAID email accounts containing a “special alert” to thousands of email accounts and over one hundred organizations.
- Microsoft uncovers NOBELIUM ‘sophisticated email-based attack’
- Global active exploits against SolarWinds via Sunburst backdoor
- Microsoft and FireEye reveal new details on SolarWinds cyberattack
- New Supernova malware analysis reveals new APT cyberattack methods against vulnerable SolarWinds infrastructure
- CISA releases new malware analysis on Supernova
- SolarWinds releases updated advisory on SUPERNOVA malware (updated with CVE-2020-10148)
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- DHS issues new emergency guidance on SolarWinds Orion Code compromise
- 3 good examples of how to apply the Zero Trust Security Model