Advertisement

Russian hackers attacking organizations through system used by USAID, says Microsoft

Microsoft said the hacker ground Nobelium gained access to the Constant Contact account of the U.S. Agency for International Development to send authentic-looking phishing emails that contained a link to a malicious file. One iteration of the email claimed to be a USAID alert concerning election fraud documents published by former President Donald Trump. Photo courtesy of Microsoft/Website
Microsoft said the hacker ground Nobelium gained access to the Constant Contact account of the U.S. Agency for International Development to send authentic-looking phishing emails that contained a link to a malicious file. One iteration of the email claimed to be a USAID alert concerning election fraud documents published by former President Donald Trump. Photo courtesy of Microsoft/Website

May 28 (UPI) -- Russia-linked hackers behind the SolarWinds attack have been targeting government agencies, think tanks and non-governmental organizations through the email system of the U.S. Agency for International Development, Microsoft said late Thursday.

The wide-scale attack was uncovered this week by the Microsoft Threat Intelligence Center who on Thursday identified the group responsible in a statement as Nobelium, which has been blamed for the November attack through widely used SolarWinds software that aided the breach of at least nine U.S. federal agencies as well as dozens of companies, including Fortune 500 businesses.

Advertisement

Microsoft said it had first noticed the campaign in January but on Tuesday Nobelium escalated the effort by accessing the Constant Contact email service of the USAID from which it distributed malicious links through authentic-looking emails to organizations and industries. When the link's clicked, a malicious file would create a so-called back door to the computer that would enable the stealing of data and the ability to infect other computers on the network, it said.

Though there were several iterations of the email, one example shared by Microsoft attempts to convince recipients to click on the link by advertising it as a USAID special alert, stating "Donald Trump has published new documents on election fraud."

Advertisement
RELATED Russia, growing domestic operations biggest misinformation threats on Facebook

Microsoft said due to the high volume of emails distributed in the campaign, most were blocked by threat detention systems and marked as spam.

"However, some automated threat detection systems may have successfully delivered some of the earlier emails to recipients either due to configuration and policy settings or prior to detections being in place," Microsoft said.

This spear-phishing scheme targeted some 3,000 individual accounts across more than 150 organizations, it said.

RELATED Russia publishes nuclear arms numbers, accuses U.S. of misleading data

"While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries," Tom Burt, corporate vice president at Microsoft's Customer Security and Trust department, said in a blog post. "At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work."

Burt said this attack combined with the SolarWinds attack shows the continuation of an effort to gain access as part of intelligence gathering efforts by this group to agencies concerned with foreign policy.

The attack also shows a pattern that Nobelium attempts to gain access to its victims through trusted technology providers, which increases the odds of creating collateral damage through undermining the trust of technology, he said.

RELATED Colonial Pipeline CEO will testify in June 9 hearing on cyberattack

It also shows that Nobelium and other similar threat actors target humanitarian and human rights organizations and that nation-state cyberattacks are only increasing.

Advertisement

Cybersecurity firm Volexity also said in a blog post it had observed the campaign and that there has been a relatively low detection rate suggesting "the attacker is likely having some success in breaching targets."

Microsoft warned Nobelium's spear-phishing operations have been reoccurring and increasing in frequency and scope and that it expects "additional activity may be carried out by the group using an evolving set of tactics."

A spokesperson with the Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security told The New York Times that they were "aware of the potential compromise" and were "working with the FBI and USAID to better understand the extent of the compromise and assist potential victims."

The attack was uncovered weeks before President Joe Biden is to meet Russian President Vladimir Putin for a summit on June 16 in Geneva, Switzerland, where it is anticipated that the recent cyberattacks will be discussed.

In recent readouts of calls between the two leaders, Biden has brought up the issue of cyber intrusions and in April said "the United States will act firmly in defense of its national interests in response" to such malicious behavior.

Advertisement

The White House has blamed the Russian Foreign Intelligence Service for the SolarWinds attack and in April Biden sanctioned a slew of Russian companies and individuals behind its cyberattacks.

Earlier this month, Biden signed an executive order to beef up the nation's cybersecurity in the wake of Colonial Pipeline shutting down after being the target of a ransomware attack.

Latest Headlines