According to Microsoft, the hackers behind one of the worst data breaches in US government history have launched a new global cyberattack on more than 150 government agencies, think tanks, and other organizations.
Microsoft’s “Nobelium” group targeted 3,000 email accounts at various organizations this week, the majority of which were in the United States, according to a blog post published on Thursday.
It believes the hackers are linked to the same Russian group that launched a devastating attack on software vendor SolarWinds last year, which targeted at least nine US federal agencies and 100 businesses.
Following revelations that hackers had inserted malicious code into a tool published by SolarWinds, the US government has made cybersecurity a top priority. The Colonial Pipeline, one of America’s most important pieces of energy infrastructure, was shut down by ransomware earlier this month, adding to the sense of dread. According to the FBI, the attack was carried out by a Russian-based criminal gang.
At least a quarter of the targets of this week’s attacks, according to Microsoft (MSFT), were involved in international development, humanitarian, and human rights work in at least 24 countries.
“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” the company said.
Pooja Jhunjhunwala, USAID’s acting spokesperson, said on Friday that the agency was aware of “potentially malicious email activity” from a compromised Constant Contact marketing account. Jhunjhunwala added that the incident is still being investigated forensically.
According to spokespeople, the incident has been reported to the White House National Security Council and the US Cybersecurity and Infrastructure Security Agency (CISA). According to a spokesperson for CISA, the agency is “collaborating with the FBI and USAID to better understand the scope of the compromise and assist potential victims.”
The hackers were able to send out phishing emails that “looked authentic but included a link that, when clicked, inserted a malicious file” that allowed them to access computers through a backdoor after gaining access to USAID’s account, according to Microsoft.
According to Microsoft, “this backdoor could enable a wide range of activities from data theft to infecting other computers on a network.”
An authentic sender address was included in one of the fake emails that appeared to come from USAID. The email pretended to be a “special alert,” inviting recipients to click on a link to “view documents” on election fraud from former President Donald Trump.
Many of the attacks were automatically blocked, according to Microsoft. Customers who were targeted will be notified, and the company claims there is “no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”
Constant Contact’s spokesperson said the company is “aware that the account credentials of one of our customers were compromised,” describing the incident as “isolated.” “We’ve temporarily disabled the impacted accounts while we work with our customer, who is assisting law enforcement,” the spokesperson continued.
At the time of the SolarWinds hack, US intelligence and law enforcement agencies said the perpetrators “likely originated in Russia,” and that the attack was suspected of being espionage.
Microsoft reiterated those suspected motivations in its Thursday blog post, saying that “when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers.”
Nobelium “increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem” by piggybacking on software updates and now mass email providers, according to the company.
According to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, the latest revelation demonstrates how Russia has been undeterred by recent US efforts to hold the Kremlin accountable and strengthen cybersecurity following the SolarWinds campaign.
“The Russians have a campaign plan in place for massive attacks on US targets that they have no incentive to abandon,” Lewis said. “They are unconcerned about the reaction of the United States. They’re putting the new administration to the test.”
Dmitry Peskov, a Kremlin spokesman, declined to comment on the specifics of Microsoft’s allegations on Friday.
“To answer your question we first need to answer the following: which groups? Why are they linked to Russia? Who attacked what? What did this lead to? What was the attack itself? And how does Microsoft know about it? If all of these questions are answered, we can think about the response [to your question],” Peskov told CNN in a conference call with journalists.
According to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, the latest revelation demonstrates how Russia has been undeterred by recent US efforts to hold the Kremlin accountable and strengthen cybersecurity following the SolarWinds campaign.
“The Russians have a campaign plan for massive attacks against US targets, for which they have no incentive to stop,” Lewis said. “They aren’t afraid of the US response. They are testing the new administration.”
Dmitry Peskov, a Kremlin spokesman, declined to comment on the specifics of Microsoft’s allegations on Friday.
He also expressed his belief that the allegations would have no bearing on the upcoming meeting between US President Joe Biden and Russian President Vladimir Putin.