The state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted phishing assault on US and foreign government agencies and thinktanks this week using an email marketing account of the US Agency for International Development (USAid), Microsoft has said.
The effort targeted about 3,000 email accounts at more than 150 organisations, at least a quarter of them involved in international development, humanitarian and human rights work, the Microsoft vice-president Tom Burt wrote in a blogpost on Thursday.
Microsoft identified the attack’s perpetrators as Nobelium, a group originating in Russia that was also behind the attacks on SolarWinds customers in 2020.
“Nation-state cyber-attacks aren’t slowing,” Burt wrote. “We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.”
A spokesperson for the US Cybersecurity and Infrastructure Security Agency said it was investigating with other agencies: “We are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
News of the attacks came just over a month after the US expelled Russian diplomats and imposed sanctions against Russian officials and companies in an effort to crack down on election interference and cyber espionage.
It precedes a summit between the US president, Joe Biden, and his Russian counterpart, Vladimir Putin, scheduled for next month.
On Friday, the White House confirmed that it would go ahead with the summit despite the attack. A spokesperson, Karine Jean-Pierre, told reporters “we’re going to move forward with that” summit when asked about the hack’s possible impact on the meeting.
Microsoft did not say what portion of the attempts may have led to successful intrusions, though Burt wrote that many attacks targeting the company’s customers were automatically blocked.
The cybersecurity company Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of the phishing emails suggested the attacker was “likely having some success in breaching targets”.
Burt said the campaign appeared to be a continuation of efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence-gathering efforts”. He said the targets spanned at least 24 countries, though US organisations represented the largest share of victims.
The hackers gained access to USAid’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails dated 25 May purported to contain new information on 2020 election fraud claims and included a link to malware that allowed the hackers to “achieve persistent access to compromised machines”.
Microsoft said in a separate blogpost that the campaign was ongoing and evolved out of several waves of spear-phishing campaigns it first detected in January that escalated to the mass mailings this week.
USAid’s acting spokesperson, Pooja Jhunjhunwala, told the Guardian the agency was “aware of potentially malicious email activity from a compromised Constant Contact email marketing account”, and that a forensic investigation was under way.
USAid “has notified and is working with all appropriate federal authorities,” Jhunjhunwala said. The Department of Homeland Security has also said it was investigating the hacking. The Constant Contact spokesperson Kristen Andrews called it an “isolated incident”, with the affected accounts temporarily disabled.
The latest cyber-aggression followed a 7 May ransomware attack on Colonial Pipeline, which shut the US’s largest fuel pipeline network for several days, disrupting supply.
The SolarWinds hack began as early as March 2020 when malicious code was sneaked into updates to popular software called Orion, made by the company, which monitors the computer networks of businesses and governments for outages. That malware gave hackers remote access to an organisation’s networks so they could steal information.
The hacking campaign, which infiltrated dozens of private sector companies and thinktanks as well as at least nine US government agencies, was supremely stealthy and carried on for most of 2020 before being detected in December by the cybersecurity company FireEye. In contrast, this new campaign is what cybersecurity researchers call noisy and easy to detect.
Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider’s software updates; this campaign piggybacked on a mass email provider. With both methods, the company said, the hackers undermined trust in the technology ecosystem.
The Microsoft president, Brad Smith, has previously described the SolarWinds attack as “the largest and most sophisticated attack the world has ever seen”.
This month, Russia’s spy chief denied responsibility for the SolarWinds attack but said he was “flattered” by the accusations from the US and Britain that Russian foreign intelligence was behind such a sophisticated hack.
The US and Britain have blamed Russia’s foreign intelligence service, successor to the foreign spying operations of the KGB, for the SolarWinds attack.
Associated Press and Reuters contributed to this report