Russian SolarWinds hackers launch email attack on government agencies

Microsoft says group targeted more than 15o American and foreign organisations using USAid account

The state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted phishing assault on US and foreign government agencies and thinktanks this week using an email marketing account of the US Agency for International Development (USAid), Microsoft has said.

The effort targeted about 3,000 email accounts at more than 150 organisations, at least a quarter of them involved in international development, humanitarian and human rights work, the Microsoft vice-president Tom Burt wrote in a blogpost on Thursday.

Microsoft identified the attack’s perpetrators as Nobelium, a group originating in Russia that was also behind the attacks on SolarWinds customers in 2020.

“Nation-state cyber-attacks aren’t slowing,” Burt wrote. “We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.”

A spokesperson for the US Cybersecurity and Infrastructure Security Agency said it was investigating with other agencies: “We are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”

News of the attacks came just over a month after the US expelled Russian diplomats and imposed sanctions against Russian officials and companies in an effort to crack down on election interference and cyber espionage.

It precedes a summit between the US president, Joe Biden, and his Russian counterpart, Vladimir Putin, scheduled for next month.

On Friday, the White House confirmed that it would go ahead with the summit despite the attack. A spokesperson, Karine Jean-Pierre, told reporters “we’re going to move forward with that” summit when asked about the hack’s possible impact on the meeting.

Microsoft did not say what portion of the attempts may have led to successful intrusions, though Burt wrote that many attacks targeting the company’s customers were automatically blocked.

The cybersecurity company Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of the phishing emails suggested the attacker was “likely having some success in breaching targets”.

Burt said the campaign appeared to be a continuation of efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence-gathering efforts”. He said the targets spanned at least 24 countries, though US organisations represented the largest share of victims.

The hackers gained access to USAid’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails dated 25 May purported to contain new information on 2020 election fraud claims and included a link to malware that allowed the hackers to “achieve persistent access to compromised machines”.

Microsoft said in a separate blogpost that the campaign was ongoing and evolved out of several waves of spear-phishing campaigns it first detected in January that escalated to the mass mailings this week.

USAid’s acting spokesperson, Pooja Jhunjhunwala, told the Guardian the agency was “aware of potentially malicious email activity from a compromised Constant Contact email marketing account”, and that a forensic investigation was under way.

USAid “has notified and is working with all appropriate federal authorities,” Jhunjhunwala said. The Department of Homeland Security has also said it was investigating the hacking. The Constant Contact spokesperson Kristen Andrews called it an “isolated incident”, with the affected accounts temporarily disabled.

The latest cyber-aggression followed a 7 May ransomware attack on Colonial Pipeline, which shut the US’s largest fuel pipeline network for several days, disrupting supply.

The SolarWinds hack began as early as March 2020 when malicious code was sneaked into updates to popular software called Orion, made by the company, which monitors the computer networks of businesses and governments for outages. That malware gave hackers remote access to an organisation’s networks so they could steal information.

In early 2020, malicious code was sneaked into updates to a popular piece of software called Orion, made in the US by the company SolarWinds, which monitors the computer networks of businesses and governments for outages.

That malware gave hackers remote access to an organisation’s networks so they could steal information. Among the most high-profile users of the software were US government departments including the Centers for Disease Control and Prevention, the state department, and the justice department.

Described by the Microsoft president, Brad Smith, as “the largest and most sophisticated attack the world has ever seen", US intelligence agencies have accused Russia of launching the attack.

SolarWinds, of Austin, Texas, provides network monitoring and other technical services to hundreds of thousands of organisations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East.

Its compromised product, Orion, is a centralised monitoring tool that looks for problems in an organisation’s computer network, which means that breaking in gave the attackers a “God view” of those networks.

Neither SolarWinds nor US cybersecurity authorities have publicly identified which organisations were breached. Just because a company or agency uses SolarWinds as a vendor does not necessarily mean it was vulnerable to the hack.

Kari Paul and Martin Belam

The hacking campaign, which infiltrated dozens of private sector companies and thinktanks as well as at least nine US government agencies, was supremely stealthy and carried on for most of 2020 before being detected in December by the cybersecurity company FireEye. In contrast, this new campaign is what cybersecurity researchers call noisy and easy to detect.

Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider’s software updates; this campaign piggybacked on a mass email provider. With both methods, the company said, the hackers undermined trust in the technology ecosystem.

The Microsoft president, Brad Smith, has previously described the SolarWinds attack as “the largest and most sophisticated attack the world has ever seen”.

This month, Russia’s spy chief denied responsibility for the SolarWinds attack but said he was “flattered” by the accusations from the US and Britain that Russian foreign intelligence was behind such a sophisticated hack.

The US and Britain have blamed Russia’s foreign intelligence service, successor to the foreign spying operations of the KGB, for the SolarWinds attack.

Associated Press and Reuters contributed to this report


Alexandra Villarreal and agencies

The GuardianTramp

Related Content

Article image
Macron hackers linked to Russian-affiliated group behind US attack
Cybersecurity firms think group with ties to Russian intelligence was behind leak of emails and other documents belonging to French election winner’s campaign team

Alex Hern

08, May, 2017 @10:36 AM

Article image
Russian hackers suspected of Kremlin ties used Windows bug ‘to spy on west’
Cyber-threat intelligence firm iSight says ‘Sandworm Team’ used unknown bugs from 2009 to steal EU and Nato documents

Alec Luhn in Moscow

14, Oct, 2014 @5:41 PM

Article image
How Russian spies bungled cyber-attack on weapons watchdog
The GRU intelligence agency is undoubtedly ambitious but this operation is hardly a triumph

Luke Harding

04, Oct, 2018 @4:13 PM

Article image
Russian suspected hacker moves step closer to US extradition
FBI accuses Yevgeniy Nikulin of hacking LinkedIn, Formspring and Dropbox, and Russia has also filed extradition request

Shaun Walker in Prague

30, May, 2017 @6:04 PM

Russian hacker gang who 'stole millions from Citibank' under investigation
Shadowy crime network re-emerges as Obama appoints head of cyber security

Bobbie Johnson

22, Dec, 2009 @9:22 PM

Article image
Suspected Russian cyber-attack growing in scale, Microsoft warns
Government agencies around world among targets in SolarWinds ‘espionage-based’ hack

Dan Sabbagh Defence and security editor

18, Dec, 2020 @5:07 PM

Article image
Russia's alleged interference in elections under spotlight at Prague summit
Security specialists from 27 nations including Britain and the US will meet for five-day conference in Czech capital

Robert Tait in Prague

15, May, 2017 @5:00 AM

Article image
Malicious forces creating 'perfect storm' of coronavirus disinformation
Russia and China among state and other actors spreading fake news and disruption, say experts

Peter Beaumont, Julian Borger and Daniel Boffey

24, Apr, 2020 @12:30 PM

Article image
South Korea cyber attack 'increasingly likely' to have been government-led
Attack against TV stations and banks has hallmarks of government-level hacker, says American security company. By Charles Arthur

Charles Arthur

22, Mar, 2013 @5:04 PM

Article image
Russia suspected over hacking attack on Italian foreign ministry
Italian government official says no sensitive information was compromised in attack belieed to have lasted more than four months last year

Stephanie Kirchgaessner in Rome

10, Feb, 2017 @12:56 PM