Microsoft warns Russian hackers are using a US agency to mount a huge cyberattack – CNET
Microsoft has disclosed a widescale cyberattack that it says is operated by hackers linked to Russian intelligence, the same ones behind the SolarWinds hack. The hackers gained access to the email system used by the US Agency for International Development, a State Department agency focused on foreign aid, and sent malicious emails to “around 3,000 individual accounts across more than 150 organizations,” according to a threat alert that Microsoft sent Thursday.
The hacking campaign is still active, Microsoft said, and some malicious emails were sent as recently as this week.
A spokesperson for the US Cybersecurity and Infrastructure Security Agency said that CISA is “aware of the potential compromise at USAID through an email marketing platform” and added that it’s “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
This newly disclosed cyberattack comes just over a month after the US officially imposed sanctions against Russia for alleged election interference and malicious cyberactivity, including the widespread SolarWinds hack. Key intelligence agencies had already said Russia was the likely origin of the SolarWinds hack, which used tainted software from IT management company SolarWinds to penetrate multiple US federal agencies and at least 100 private companies.
Microsoft said that it had been tracking this new hacking campaign since January 2021 but that the situation escalated significantly on Tuesday when hackers “leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.” Due to the high volume of malicious emails sent, some might have been caught by spam filters but others likely made it past automated systems to the intended inboxes, Microsoft said.
If a person clicked on the link in the email, it would upload a malicious file that could give the hackers “persistent access to compromised systems,” according to Microsoft. This could potentially allow for the hackers to “conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.”
USAID spokesperson Pooja Jhunjhunwala said the agency is investigating the incident.
Stay in the know. Get the latest tech stories from CNET News every weekday.
The agency “became aware of potentially malicious email activity from a compromised Constant Contact email marketing account. The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said in a statement emailed to CNET.
When reached for comment, a spokesperson for Constant Contact told CNET that the company has disabled impacted accounts.
“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts. This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” the spokesperson said.
Neither the White House nor the Russian embassy in Washington immediately responded to a request for comment.