Russia-linked SolarWinds hackers target email accounts used by State Department aid agency

Russia-linked SolarWinds hackers target email accounts used by State Department aid agency

May 29, 2021

A screenshot with redacted information shows an alleged spear-phishing email intended to resemble a real email from the United States Agency for International Development. (Photo: Microsoft)

Hackers with suspected ties to the Russian government launched new assaults on human rights groups and government agencies, including email accounts used by the State Department’s international aid agency, Microsoft revealed late Thursday. 

Microsoft Vice President Tom Burt disclosed the breach in a blog post, saying the “wave of attacks” targeted about 3,000 email accounts – across 24 countries – at more than 150 organizations involved in international development and humanitarian work.

The U.S. received the largest share of attacks, Burt said. 

The discovery of the cyberattack comes just a few weeks before President Joe Biden is due to meet with Russia’s President Vladimir Putin at a summit in Geneva and adds to the growing list of complaints Biden is likely to bring up with Putin in Switzerland. 

Geneva summit: Biden to meet with Putin on June 16 in Switzerland

“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” Burt, who is Microsoft’s vice president of customer security and trust, wrote in the post.

Microsoft said Nobelium is the same group responsible for the SolarWinds hack, a sweeping cyberattack that compromised at least half a dozen U.S. federal agencies including the Department of Homeland Security and Energy Department, as well as thousands of companies in the private sector. U.S. intelligence agencies believe the SolarWinds hack is the work of SVR, Russia’s Foreign Intelligence Service.  

Biden last month expelled Russian diplomats and announced new sanctions on Russia in retaliation for the massive SolarWinds hacking operation, which began in early 2020 but was only discovered in December that same year. GCHQ, Britain’s National Cyber Security Centre, also believes the Kremlin was likely behind SolarWinds. 

Russia denies any involvement in the SolarWinds breach but SVR director Sergei Naryshkin said in mid-May that he was “flattered” by the accusations from Washington and London. Russia has not commented on the new Nobelium hacking allegations.  

SolarWinds: Russia expels US diplomats in response to Washington’s similar action 

Microsoft did not disclose whether the new breach by Nobelium was ultimately successful. However, it said the cyberattack operation involved sending phishing emails that were made to resemble legitimate ones, but engineered to deliver harmful files.  

The assault appeared aimed at U.S. and international humanitarian think tanks, consultancies and agencies who have been critical of Russia’s crackdown on democracy activists such as Alexey Navalny, who was jailed Russia in February for breaking parole conditions despite being in Germany where he was receiving treatment from poisoning with a Russian-made military grade nerve agent called Novichok.

‘Putin is turning his main threat into a martyr’: ‘Will Russia’s attack on Alexei Navalny, journalists and 5,700 detained Russians backfire?

In one example of the attempted phishing breach highlighted by Microsoft, an email that appears to originate from a USAID email account claims that “Donald Trump has published new emails on election fraud.” If the recipient of that email were to click on the link supplied it would place malicious files on the user’s computer, Microsoft said. 

The technology giant said Nobelium was able to launch the new assault after gaining access to an email marketing service used by USAID, or the United States Agency for International Development. USAID is the main American government agency responsible for delivering foreign civilian aid and development assistance. It is an independent agency but formally administered by the State Department. 

USAID could not immediately be reached for comment or more detail about the breach. The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, also could not immediately be reached for comment.

The White House has not commented. 

Terry Thompson, an expert in cybersecurity at Johns Hopkins University, described the suspected state-sponsored SolarWinds hack as “one of the most devastating cyberattacks in history.” But the U.S. has also been contending with what appears to be increasingly bold assaults from private Russia-based cyberattack gangs. 

The FBI believes that the main culprit of a ransomware attack called DarkSide that in early May shutdown Colonial Pipeline, the U.S.’s largest fuel pipeline, is a Russian cybercrime criminal network that operates by the same name. 

Source: Read Full Article