Hackers linked to Russia’s main intelligence agency surreptitiously confiscated an e-mail system used by the international aid agency of the State Department to enter the computer networks of human rights groups and others. organizations of the kind that have criticized President Vladimir V. Putin, Microsoft Corporation reported Thursday.
The discovery of the breach comes just three weeks before President Biden plans to meet with Putin in Geneva, and at a time of heightened tension between the two nations, in part due to a series of cyberattacks each time. more sophisticated emanating from Russia.
The recently revealed attack was also particularly daring: by breaching the systems of a provider used by the federal government, hackers sent genuine-looking emails. in addition to 3,000 accounts from more than 150 organizations that regularly receive communications from the United States Agency for International Development. These emails came out as recently as this week and Microsoft said it believes the attacks continue.
The email was implemented with a code that would give hackers unlimited access to the recipients’ computer systems, from “stealing data to infecting other computers on the network,” Tom Burt, vice president of Microsoft.
Last month, Biden announced a series of new sanctions on Russia and the expulsion of diplomats for a sophisticated piracy operation called SolarWinds, which used new methods to breach at least seven government agencies and hundreds of large U.S. companies.
That attack was detected by the U.S. government for nine months, until it was discovered by a cybersecurity company. In April, Biden said he could have responded much more forcefully, but “chose to be proportionate” because he did not want to “start a cycle of escalation and conflict with Russia.”
However, the Russian response seems to have been an escalation. Malicious activity was underway recently last week. This suggests that the additional sanctions and covert actions the White House carried out, as part of a “seen and unseen” costing strategy for Moscow, have not stifled the Russian government’s appetite for rupture. .
A spokesman for the Department of Homeland Security’s Cybersecurity and Infrastructure Agency said Thursday afternoon that the agency was “aware of the potential commitment” to the International Development Agency and that it “worked with the FBI and USAID to better understand the scope of the commitment and help potential victims. “
Microsoft identified the Russian group behind the attack as Nobelium and said it was the same group responsible for the SolarWinds hacking. Last month, the US government explicitly said that SolarWinds was the work of SVR, one of the most successful derivatives of the Soviet-era KGB.
The same agency was involved in National Democratic Committee piracy in 2016 and, earlier, in attacks on the Pentagon, the White House email system, and unclassified State Department communications.
He has grown increasingly aggressive and creative, federal officials and experts say. The SolarWinds attack was never detected by the U.S. government and was carried out using code implanted in network management software that the government and private companies use widely. When customers updated the SolarWinds software, in the same way they updated an iPhone overnight, they let an invader pass unknowingly.
Among last year’s victims were national security and energy departments, as well as nuclear laboratories.
When Biden took office, he ordered a study of the SolarWinds case and officials have been working to prevent future “supply chain” attacks in which opponents infect software used by federal agencies. This is similar to what happened in this case, when Microsoft’s security team caught hackers using a widely used email service, provided by a company called Constant Contact, to send malicious emails that appeared to come from genuine addresses of the International Development Agency.
May 26, 2021, at 9:17 p.m. ET
But the content was sometimes hardly subtle. In an email sent Tuesday through the Constant Contact service, hackers highlighted a message stating that “Donald Trump has released new emails about election fraud.” The email contained a link that, when clicked, leaves malicious files on the recipients’ computers.
Microsoft noted that the attack differed “significantly” from the SolarWinds hack, using new tools and tradecraft in an apparent effort to prevent detection. It was said that the attack was still ongoing and that hackers continued to send subtle emails, with increasing speed and reach. That’s why Microsoft took the unusual step of naming the agency whose email addresses were used and posting samples of the fake email.
In essence, the Russians entered the International Development Agency’s email system by sending the agency and going directly after their software vendors. Constant Contact handles bulk emails and other communications on behalf of the help agency.
“Nobelium launched this week’s attacks by accessing USAID’s constant contact account,” Mr. Burt of Microsoft wrote. Constant Contact could not be reached for comment.
Microsoft, like other major cybersecurity-related companies, maintains a wide network of sensors to search for malicious activity on the Internet and is often a target in itself. He was deeply involved in the revelation of the SolarWinds attack.
In this case, Microsoft reported, the goal of the hackers was not to go to the State Department or the aid agency, but to use their connections to get internal groups working in the field and, in many cases, locate -be among the most important of Mr. Putin. powerful critics.
“At least a quarter of the target organizations were involved in international development, humanitarian work, and human rights,” Burt wrote. Although he did not name them, many of these groups have revealed Russian actions against dissidents or protested against the intoxication, conviction and imprisonment of Russia’s best-known opposition leader, Alexei A. Navalny.
The attack suggests that Russia’s intelligence agencies are stepping up their campaign, perhaps to show that the country would not back down in the face of sanctions, the expulsion of diplomats and other pressure.
Last month, Biden raised the SolarWinds attack with Putin in a phone call last month, telling him that sanctions and expulsions were a demonstration of how his administration would no longer tolerate an increased pace of cyber operations.
Putin has denied Russian involvement and some Russian media have argued that the United States launched the attack on itself.
At the time, the White House also imposed a series of new sanctions on Russian people and assets, including new restrictions on the purchase of Russia’s sovereign debt, which would make it difficult to raise money and support its currency. Russia.
“This is the beginning of a new American campaign against Russian malicious behavior,” Treasury Secretary Janet L. Yellen said at the time.
Tensions over the presence of cybercrime in Russia rose significantly this month after a ransomware group hijacked Colonial Pipeline’s business networks. The attack forced the company to close a pipeline that carries nearly half of the gas, diesel and fuel for aircraft on the east coast, prompting a rise in gas prices and panic buying at the bomb.
Mr Biden said two weeks ago that “we they have been in direct communication with Moscow on the imperative that responsible countries take decisive action against these ransomware networks. ”