The Russian hackers who breached several US government agencies last year have hijacked an email system used by USAID, the development agency, to target more than 150 government agencies, human rights groups and NGOs worldwide, said Microsoft.
Microsoft said the hackers, who it identified as Nobelium, were the same group responsible for manipulating software from the US company SolarWinds in order to breach the US Treasury and Commerce departments, as well as the Pentagon and several Fortune 500 companies. The White House said last month the group was part of the Russian Foreign Intelligence Service.
In the latest attack, Microsoft said the group had used USAID’s mass email system, called Constant Contact, to pose as the US international development agency. They sent emails to more than 3,000 accounts at more than 150 government agencies, think-tanks, consultancies and non-governmental organisations.
Targets who opened the emails allowed the hackers to perform “a wide range of activities from stealing data to infecting other computers on a network.”
The scheme, which Microsoft said was an “active incident”, mainly focused on the US but spanned at least 24 countries. At least a quarter of those targeted were involved in international development, humanitarian and human rights work.
Joe Biden, the US president, has faced calls to bolster the country’s cyber defences following the campaign, a recent Chinese state-backed espionage campaign that exploited vulnerabilities in Microsoft’s email software and an attack on a US petroleum pipeline company by a criminal group this month.
The Biden administration imposed sanctions on Russia and signed an executive order this month requiring higher cyber security standards for federal agencies and their technology software providers.
Microsoft said “many of the attacks” that targeted its customers were blocked because automated systems marked the emails as spam and its systems prevented the malicious software from gaining access.
It is unclear if any organisations were breached despite these security measures. Microsoft declined to comment.
Tom Burt, Microsoft’s corporate vice-president of customer security and trust, said the latest attacks “appear to be a continuation of multiple efforts by [the hackers] to target government agencies involved in foreign policy as part of intelligence-gathering efforts”.
“When coupled with the attack on SolarWinds, it’s clear that part of [the hackers’] playbook is to gain access to trusted technology providers and infect their customers,” he added.
Constant Contact said it was “aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts”.
“This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in co-operation with our customer, who is working with law enforcement,” it added.
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.