DOJ seizes domains used to launch malicious emails posing as USAID

The Department of Justice (DOJ) on Tuesday announced that the U.S. has obtained court orders to seize control of two online domains used by suspected Russian hackers to send malicious emails to organizations posing as the U.S. Agency for International Development (USAID). 

The domains were seized following Microsoft’s announcement last week that what it assessed to be Russian hackers had accessed an email marketing program used by USAID to target hundreds of groups with malicious emails. 

Microsoft assessed that the hackers were the same group behind the SolarWinds incident, which allowed Russian government-backed hackers to compromise nine federal agencies and at least 100 private sector groups for most of a year. 

Following the new incident, court orders were issued in the Eastern District of Virginia allowing the DOJ to seize command and control and malware distribution domains used as part of this effort in order to protect other organizations from being targeted and to identify the hackers. 

“Last week’s action is a continued demonstration of the Department’s commitment to proactively disrupt hacking activity prior to the conclusion of a criminal investigation,” Assistant Attorney General John Demers for the DOJ’s National Security Division said in a statement Tuesday. 

“Law enforcement remains an integral part of the U.S. government’s broader disruption efforts against malicious cyber-enabled activities, even prior to arrest, and we will continue to evaluate all possible opportunities to use our unique authorities to act against such threats,” he added.

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI announced late last week that they were working to address the malicious activity and confirmed that around 350 organizations had been targeted by the emails, including some federal agencies. CISA and the FBI stressed that as of Friday, there had been no “identified significant impact” on federal agencies.

FBI Cyber Division Assistant Director Bryan Vorndran said in a statement Tuesday that the agency is “committed” to disrupting this type of cyber activity.

“We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats,” Vorndran said.