Kremlin-backed cyber spies behind the SolarWinds hack launched an audacious spear phishing campaign against US government agencies this week, Microsoft has revealed.
An email from the State Department’s own Agency for International Development was sent to more than 3,000 accounts across 150 different organisations, many of them focused on human rights or humanitarian aid.
It contained a link which, when clicked, would implant a code on the target’s computer giving the hackers unfettered access to their files from ‘stealing data to infecting other computers on a network,’ Microsoft Vice President Tom Burt said.
Some of the emails were hardly subtle, including one which said: ‘USAID ALERT: Donald Trump has published new documents on election fraud.’ It provided a link to ‘view documents’ which led the users to download the Trojan virus.
The discovery of the latest breach comes just three weeks before President Joe Biden is to meet Vladimir Putin in Geneva amid heightened tensions already inflamed by the SolarWinds hack which came to light in December.
The email contained a link which, when clicked, would implant a code on the target’s computer giving the hackers unfettered access to their files from ‘stealing data to infecting other computers on a network,’ Microsoft Vice President Tom Burt said (pictured: the example above used a claim about the former president Donald Trump)
The discovery of the latest breach comes just three weeks before President Joe Biden is to meet Vladimir Putin in Geneva amid heightened tensions already inflamed by the SolarWinds hack which came to light in December
That attack had been ongoing for nine months before it was uncovered. It exposed at least nine US government agencies including the Department of Justice, as well as some of the biggest firms on Wall Street.
Biden said last month he could have been far more punitive towards Moscow but chose to act ‘proportionately’ because he didn’t want ‘to kick off a cycle of escalation and conflict with Russia.’
But this spear phishing campaign underlines that whatever sanctions the Biden administration imposed have not deterred the Kremlin from deploying its hackers.
In fact, the attack this time was more sophisticated and more brazen, using a USAID email which, unlike regular phishing emails, is targeted at users who are more likely to believe it is genuine.
A spokesman for the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security told the New York Times last night it was ‘aware of the potential compromise’ at USAID and that it was ‘working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.’
Microsoft named the group behind the hack as Nobelium, the same responsible for the SolarWinds breach.
Last month, the US government said explicitly that the SVR, one of the espionage successors of the Soviet KGB, had carried out the SolarWinds cyber attack.
Microsoft VP Burt did not say how many of the phishing emails may have led to successful intrusions.
But cybersecurity firm Volexity, which also tracked the campaign, said the relatively low detection rates of the phishing emails suggested it was ‘likely having some success in breaching targets.’
Burt said the campaign appeared to be a continuation of multiple efforts by the Russian hackers to ‘target government agencies involved in foreign policy as part of intelligence gathering efforts’.
He said the targets spanned at least 24 countries.
The hackers gained access to USAID’s account at Constant Contact, an email marketing service, Microsoft said.
In short, the hackers were able to get hold of a USAID email account through the third party software which they use rather than hacking the government agency directly.
The authentic-looking phishing emails dated May 25 purport to contain new information on 2020 election fraud claims and include a link to malware that allows the hackers to ‘achieve persistent access to compromised machines’.
When a user is sent the email, they click on a link which appears to send them to a legitimate website, but this site then downloads an ISO (disk image) file onto their computer. This disk image is then mounted by the hackers, meaning it is opened as if it is a USB drive or CD and the malicious code is installed on the PC. It installs a Trojan virus which provides unfettered access to the target’s machine and network
Microsoft said in a separate blog post that the campaign is ongoing and evolved out of several waves of spear-phishing campaigns it first detected in January which escalated to the mass-mailings of this week.
While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks as well as at least nine US government agencies, was supremely stealthy and went on for most of 2020 before being detected in December by the cybersecurity firm FireEye, this campaign is what cybersecurity researchers say was easy to detect.
Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider’s software updates, while this campaign piggybacked on a mass email provider.
With both methods, the company said, the hackers undermine trust in the technology ecosystem.