Russia appears to be carrying out a hack through the system used by the US aid agency
Hackers linked to Russia’s main intelligence agency surreptitiously seized an email system used by the State Department’s international aid agency to burrow into the computer networks of human rights groups. man and other such organizations that have criticized President Vladimir V. Putin, Microsoft Corporation has revealed. Thursday.
The discovery of the breach comes just three weeks before President Biden met Mr. Putin in Geneva, and at a time of heightened tension between the two countries – in part due to a series of increasingly sophisticated cyber attacks emanating from from Russia.
The recently exposed attack was also particularly bold: By breaching the systems of a provider used by the federal government, hackers sent genuine emails. to over 3,000 accounts in over 150 organizations that regularly receive communications from the United States Agency for International Development. These emails were sent as recently as this week, and Microsoft has said it believes the attacks are underway.
The email was implanted with code that would give hackers unrestricted access to recipients’ computer systems, from “data theft to infecting other computers on a network,” Microsoft vice president Tom Burt wrote on Thursday evening.
Last month, Mr Biden announced a series of new sanctions against Russia and the expulsion of diplomats for a sophisticated hacking operation, called SolarWinds, which used new methods to violate at least seven government agencies and hundreds of large American companies.
This attack went undetected by the US government for nine months, until it was discovered by a cybersecurity company. In April, Mr Biden said he could have responded much more firmly, but “chose to be proportionate” because he did not want to “start a cycle of escalation and conflict with Russia.”
The Russian response, however, appears to have been escalating. Malicious activity was ongoing as recently as last week. This suggests that the sanctions and all other covert White House actions – as part of a strategy to create “visible and invisible” costs for Moscow – have not stifled the Russian government’s appetite for disruption. .
A spokesperson for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said Thursday evening that the agency was “aware of the potential compromise” of the Agency for International Development and that it was “working with the FBI and the ‘USAID to better understand the scale of the compromise and help potential victims. “
Microsoft identified the Russian group behind the attack as Nobelium and said it was the same group responsible for the SolarWinds hack. Last month, the U.S. government explicitly declared SolarWinds to be the work of the SVR, one of the most successful KGB spinoffs of the Soviet era.
The same agency was involved in the 2016 Democratic National Committee hack, and before that, in attacks on the Pentagon, the White House messaging system, and the State Department’s unclassified communications.
He has become increasingly aggressive and creative, say federal officials and experts. The SolarWinds attack was never detected by the United States government and was carried out using code embedded in network management software that the government and private companies use widely. When customers updated SolarWinds software – much like updating an iPhone overnight – they were unintentionally letting in an invader.
Among the victims last year were the departments of homeland security and energy, as well as nuclear laboratories.
When Mr Biden came to power, he commissioned a study of the SolarWinds case, and officials worked to prevent future “supply chain” attacks, in which adversaries infect software used by federal agencies. . It’s similar to what happened in this case, when Microsoft’s security team caught the hackers using a widely used email service, provided by a company called Constant Contact, to send e- malicious emails that appeared to come from genuine Agency for International Development addresses.
But the content was, at times, barely subtle. In an email sent on Tuesday via the Constant Contact service, the hackers highlighted a message claiming that “Donald Trump has posted new emails about voter fraud.” The email contained a link that, when clicked, drops malicious files onto the recipients’ computers.
Microsoft noted that the attack differed “significantly” from the SolarWinds hack, using new tools and crafts in an apparent effort to avoid detection. He said the attack was still ongoing and hackers continued to send spearphishing emails, with increasing speed and reach. That’s why Microsoft took the unusual step of naming the agency whose email addresses were being used and posting samples of the fake email.
Essentially, the Russians entered the International Development Agency’s email system by going around the agency and directly attacking its software vendors. Constant Contact manages mass emails and other communications on behalf of the humanitarian agency.
“Nobelium launched this week’s attacks by accessing USAID’s Constant Contact account,” Microsoft’s Burt wrote. The constant contact could not be reached for comment.
Microsoft, like other large companies involved in cybersecurity, maintains a large network of sensors to look for malicious activity on the Internet and is often a target in itself. He was deeply involved in the exposure of the SolarWinds attack.
In this case, Microsoft reported, the hackers’ goal was not to attack the State Department or the aid agency, but to use their connections to get into groups working on the ground. – and in many cases, rank among the most powerful critics.
“At least a quarter of the organizations targeted were involved in international development, humanitarian action and human rights,” Mr. Burt wrote. Although he did not name them, many such groups have exposed Russia’s action against dissidents or protested against the poisoning, sentencing and imprisonment of the most notorious opposition leader of Russia, Alexei A. Navalny.
The attack suggests that Russian intelligence agencies are stepping up their campaign, perhaps to demonstrate that the country will not back down in the face of sanctions, expulsion of diplomats and other pressure.
Mr Biden brought up the SolarWinds attack with Mr Putin during a phone call last month, telling him that the sanctions and expulsions were a demonstration of how his administration would no longer tolerate an accelerated pace of cyber operations.
Mr Putin has denied Russian involvement, and some Russian media claimed that the United States launched the attack on itself.
At the time, the White House also imposed a series of new sanctions on Russian individuals and assets, including new restrictions on the purchase of Russian sovereign debt, which will make it more difficult for Russia to lift. funds and support its currency.
“This is the start of a new American campaign against malicious behavior by Russia,” Treasury Secretary Janet L. Yellen said at the time.
Tensions over Russia’s hosting of cybercriminals escalated significantly this month after a ransomware group took Colonial Pipeline’s business networks hostage. The attack forced the company to shut down a pipeline that carries nearly half of the gas, diesel and jet fuel to the East Coast, sparking gas prices and panicked buying at the pump.
Mr. Biden said two weeks ago that “we have been in direct communication with Moscow on the imperative for responsible countries to take decisive action against these ransomware networks. ”