Microsoft warns Russian hackers are using a US agency to mount a huge cyberattack – CNET

hacking-security-hackers-federal-liberty-computers-2816.jpg
James Martin/CNET

Microsoft on Thursday disclosed a wide-scale cyberattack that it says is being operated by hackers linked to Russian intelligence, the same ones behind the SolarWinds hack. The hackers gained access to the email system used by US Agency for International Development, a State Department agency focused on foreign aid, and sent malicious emails to “around 3,000 individual accounts across more than 150 organizations,” according to a threat alert from Microsoft. 

Microsoft said the hacking campaign is still active and that some malicious emails were sent as recently as this week.

A spokesperson for the US Cybersecurity and Infrastructure Security Agency said the agency is “aware of the potential compromise at USAID through an email marketing platform,” adding that it’s “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”

This newly disclosed cyberattack comes just over a month after the US officially imposed sanctions against Russia for alleged election interference and malicious cyberactivity, including the widespread SolarWinds hack. Key intelligence agencies had already said Russia was the likely origin of the SolarWinds hack, which used tainted software from IT management company SolarWinds to penetrate multiple US federal agencies and at least 100 private companies.

Microsoft said it had been tracking this new hacking campaign since January 2021 but things escalated significantly on Tuesday when hackers “leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.” Due to the high volumes of malicious emails sent, some might have been caught by spam filters but others likely made it past automated systems to the intended inboxes, Microsoft said. 

If a person clicked on the link in the email, it would upload a malicious file that could give the hackers “persistent access to compromised systems,” according to Microsoft. This could potentially allow for the hackers to “conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.”

USAID Acting Spokesperson Pooja Jhunjhunwala said the agency is investigating the incident.

“(USAID) became aware of potentially malicious email activity from a compromised Constant Contact email marketing account. The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said in a statement emailed to CNET. 

When reached for comment, a spokesperson for Constant Contact told CNET the company has disabled impacted accounts. 

“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts. This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” the spokesperson said. 

Neither the White House nor the Russian embassy in Washington immediately responded to a request for comment. 

example-email.png

One example of the malicious emails sent by hacker that appeared to an alert from USAID.

Microsoft

More to come. 

Leave a Comment