May 28, 2021, 12:56 p.m.
Hackers affiliated with Russian intelligence agencies breached systems used by a leading US aid organization to attack other government agencies, human rights organizations and think tanks. The move could heighten tension between Washington and Moscow ahead of a much-anticipated summit between the leaders of the two countries. Cyber security experts say that cyberattacks by Russian hackers have become a daily occurrence.
The "wave of attacks" that Microsoft Corp. First revealed in a blog post on Thursday, breached an email marketing service used by the United States' International Development Agency (USAID) to target around 3,000 email accounts in over 150 organizations in 24 countries. although the United States received much of the attacks.
Microsoft corporate vice president of customer security and trust Tom Burt said at least a quarter of the organizations targeted by the email phishing campaign addressed humanitarian, international development, and human rights issues. However, the extent of the damage is still unclear. Microsoft believes the attacks are ongoing, but found that automated threat detection systems blocked most emails and marked them as spam.
Microsoft attributed the attacks to Nobelium, the same hacking group that carried out the recent SolarWinds hacks against US government agencies in what is believed to be the worst cyber espionage breach in US history. While Nobelium orchestrated the SolarWinds hacks, US officials said Russia's foreign intelligence agency, the SVR, was behind the operation.
The recent Nobelium attack, whether or not it was a major breach of the US government's cyber infrastructure, shows that Russia has not been deterred by waves of US and European retaliation against previous cyberattacks. It is also the latest example of authoritarian regimes turning to hacking groups to attack their rivals overseas, whether foreign governments or human rights defenders.
"This is yet another example of how cyberattacks have become the preferred tool for a growing number of nation states to achieve a variety of political goals," wrote Microsoft's Burt.
News of the incident is likely to lead Washington to adopt a tougher stance in the Biden government against Moscow. “If Moscow is responsible, this audacious act of using e-mails associated with the US government shows that Russia remains unwavering despite the sanctions following the SolarWinds attack. These sanctions gave the administration the flexibility to further tighten the economic screws if necessary – it now seems necessary, ”said Rep. Adam Schiff, Democratic chairman of the House Intelligence Committee, in a statement Friday.
Some cybersecurity experts were skeptical that the hack on USAID meant a significant escalation and found that spear phishing emails are a routinely used tool in cyber espionage. "It's really not uncommon for attackers to do something like this," said security expert Bruce Schneier, an employee of the Berkman Klein Center for Internet and Society at Harvard University. "I'm willing to bet these things happen every day," he added.
Targeting human rights and humanitarian aid organizations is important as the Kremlin has sought steadfast crackdown on civil society organizations.
“The government makes no effort to intimidate, tarnish and ultimately punish independent groups that deal with a wide variety of human rights and related civil issues. One of the most important methods is to try to falsely imply that they are either alien in their ideas or as representing foreign interests, ”said Rachel Denber, assistant director, Europe and Central Asia, Human Rights Watch.
The Russian authorities have repeatedly tried to write off social unrest and government critics as the henchmen of Western governments. USAID was expelled from Russia in 2012 after working in the country since the collapse of the Soviet Union. The Russian government accused USAID of interfering in the country's domestic politics.
According to Microsoft, Russian hackers orchestrated the latest attack by breaching Constant Contact, an email service used by USAID, to send phishing emails to thousands of email accounts that appear to be USAID come.
John Hultquist, vice president of Mandiant Threat Intelligence at FireEye, said the company had been tracking a wave of spear phishing-related emails since March. “In addition to USAID content, they used a variety of baits, including diplomatic notes and embassy invitations. All of these operations have centered on governments, think tanks and related organizations traditionally targeted by SVR operations, ”he said in a statement.
“Given the brazen nature of this incident, the SVR does not seem willing to curb its cyber espionage activities, let alone go to great lengths to hide new activities. In fact, this incident is a reminder that cyber espionage will stay here, ”said Hultquist.
A former senior National Security Agency official, who spoke on condition of anonymity, said that while the attack was not as sophisticated as the SolarWinds hack, the attackers put significant effort into experimenting and refining their approach . "It's more demanding in terms of social engineering," said the former official.
One of Microsoft's spear phishing emails sent by Microsoft on Tuesday was a warning from USAID that read, "Donald Trump has published new electoral fraud documents," and a link to "View Documents". When you click on it, malicious files are inserted to steal data and infect other computers.
"It was developed to make it attractive to everyone, regardless of political orientation," said the former official.
USAID acting spokesman Pooja Jhunjhunwala confirmed to Foreign Policy that the agency "became aware of potentially malicious email activity from a compromised Constant Contact email marketing account."
“The forensic investigation of this security incident is still ongoing. USAID has notified and is working with all relevant federal agencies, including the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), ”she said in a statement sent via email.
The attacks come before President Joe Biden is scheduled to meet Russian President Vladimir Putin for a summit in Geneva on June 16 amid mounting tensions between the two former Cold War rivals.
Biden harshly criticized Russia for the SolarWinds attack and imposed severe new sanctions on Moscow in April. When he announced the sanctions, however, he stressed that he wanted to defuse tensions with Russia. "I chose proportionate," he said. “The United States does not want to initiate a cycle of escalation and conflict with Russia. We want a stable, predictable relationship. "
The Russian government rejected Microsoft's results on Friday. Dmitry Peskov, Putin's spokesman, told reporters the Kremlin had no information about the Nobel attack and called it an "unfounded accusation," according to Russian state news agency TASS. Peskov said it was unlikely to affect the upcoming Biden-Putin summit.