Hackers connected to Russia’s main intelligence agency secretly seized an email system used by the Foreign Ministry’s international aid agency to dig into the computer networks of human rights groups and other organizations that President Vladimir V. Microsoft Corporation announced on Thursday that they were critical of Putin.
The breach was only discovered three weeks before President Biden’s planned meeting with Putin in Geneva and at a moment of increasing tensions between the two nations – also due to a series of increasingly sophisticated cyberattacks from Russia.
The newly uncovered attack was also particularly bold: By breaching the systems of a supplier used by the federal government, the hackers sent real-looking emails to more than 3,000 accounts in more than 150 organizations that receive regular communications from the United States’ International Development Agency. Those emails only went out this week and Microsoft believes the attacks are still ongoing.
The e-mail was implanted with code that gave the hackers unrestricted access to the recipient’s computer systems, from “stealing data to infecting other computers on a network,” wrote Tom Burt, a Microsoft vice president, on Thursday evening.
Last month, Mr Biden announced a series of new sanctions against Russia and the expulsion of diplomats for an elaborate hacking operation called SolarWinds that used novel methods to injure at least seven government agencies and hundreds of large American companies.
This attack went undetected by the US government for nine months until it was discovered by a cybersecurity company. In April, Mr Biden said he could have reacted much more strongly but chose “proportionate” because he did not want to “start a cycle of escalation and conflict with Russia”.
However, the Russian response appears to have been an escalation. The malicious activity had only started for the past week. This suggests that the sanctions and any additional covert measures the White House has put in place – part of a strategy to create “seen and invisible” costs for Moscow – have not stifled the Russian government’s appetite for disruption.
A spokesman for the agency for cybersecurity and infrastructure security in the Department of Homeland Security said late Thursday that the agency is “aware of the possible compromise” with the agency for international development and is working “with the FBI and USAID to better understand it. ” Level of compromise and support for potential victims. “
Microsoft identified the Russian group behind the attack as Nobelium and said it was the same group responsible for the SolarWinds hack. Last month, the US government explicitly stated that SolarWinds was the work of the SVR, one of the KGB’s most successful Soviet-era spin-offs
The same agency was involved in the National Democratic Committee hacking attacks in 2016 and previously in attacks on the Pentagon, White House email system, and State Department unclassified communications.
It’s gotten increasingly aggressive and creative, say federal officials and experts. The SolarWinds attack was never discovered by the US government and was carried out through code implanted in network management software that is widely used by the government and private companies. When customers updated SolarWinds software – much like an iPhone would do overnight – they were unwittingly letting in an intruder.
The victims last year included the ministries of homeland security and energy, as well as nuclear laboratories.
When Mr Biden took office, he ordered a study into the SolarWinds case, and officials have been working to prevent future supply chain attacks where adversaries infect software used by federal agencies. This is similar to this case when Microsoft’s security team caught the hackers using a widely used Constant Contact email service to send malicious emails that appeared to come from real-world addresses belonging to the International Development Agency.
May 26, 2021, 9:17 p.m. ET
But the content was barely subtle at times. In an email sent through the Constant Contact service on Tuesday, the hackers highlighted a message claiming that “Donald Trump had published new emails about election fraud.” The email contained a link that, if clicked, would place malicious files on recipients’ computers.
Microsoft noted that the attack was “significantly” different from the SolarWinds hack and used new tools and craftsmanship to avoid detection. It was said that the attack was still ongoing and that the hackers continued to send spearphishing emails with increasing speed and reach. Because of this, Microsoft took the unusual step of naming the agency whose email addresses were used and posting examples of the spoofed email.
Essentially, the Russians got into the Agency for International Development’s email system by circling the agency and going straight to their software suppliers. Constant Contact manages bulk emails and other communications on behalf of the aid organization.
“Nobelium launched this week’s attacks by gaining access to USAID’s Constant Contact account,” wrote Microsoft’s Burt. Constant contact could not be reached for comment.
Microsoft, like other large cybersecurity companies, maintains a large network of sensors to search for malicious activity on the Internet and is often a target itself. It was instrumental in uncovering the SolarWinds attack.
In this case, Microsoft reported, the hackers’ goal was not to track down the State Department or the aid agency, but rather to use their connections to get into groups that work on the ground – and in many cases, Putin’s most powerful ones Critic.
“At least a quarter of the target organizations were involved in international development, humanitarian and human rights work,” wrote Burt. Although he did not name them, many such groups have exposed Russian actions against dissidents or protested the poisoning, conviction and imprisonment of Russia’s most prominent opposition leader, Alexei A. Navalny.
The attack suggests that Russian intelligence agencies are stepping up their campaign, perhaps to demonstrate that the country would not step down in the face of sanctions, the eviction of diplomats and other pressures.
Mr Biden raised the SolarWinds attack on a phone call with Mr Putin last month, telling him that the sanctions and expulsions are evidence that his government would no longer tolerate an accelerated pace of cyber operations.
Mr Putin has denied Russia’s involvement, and some Russian news outlets have argued that the United States launched the attack against itself.
At the same time, the White House also imposed a number of new sanctions on Russian individuals and assets, including new restrictions on buying Russia’s national debt that will make it difficult for Russia to raise money and support its currency.
“This is the beginning of a new US campaign against malicious behavior by Russia,” Treasury Secretary Janet L. Yellen said at the time.
Tensions over the housing of cybercriminals in Russia increased significantly this month after a ransomware group took corporate networks of the Colonial Pipeline hostage. The attack forced the company to shut down a pipeline that brings nearly half of its gasoline, diesel and jet fuel to the east coast, sparking a spike in gas prices and panic buying at the pump.
Mr Biden said two weeks ago: “We spoke in direct communication with Moscow about the need for the responsible countries to take decisive action against these ransomware networks. ”