Russia-linked SolarWinds hackers target email accounts used by State Department aid agency

  • Oops!
    Something went wrong.
    Please try again later.

Hackers with suspected ties to the Russian government launched new assaults on human rights groups and government agencies, including email accounts used by the State Department's international aid agency, Microsoft revealed late Thursday.

Microsoft Vice President Tom Burt disclosed the breach in a blog post, saying the "wave of attacks" targeted about 3,000 email accounts across 24 countries, at more than 150 organizations involved in international development and humanitarian work.

The U.S. received the largest share of attacks, Burt said.

The discovery of the cyberattack comes just a few weeks before President Joe Biden is due to meet with Russia's President Vladimir Putin at a summit in Geneva and adds to the growing list of complaints Biden is likely to bring up with Putin in Switzerland.

A screenshot with redacted information shows an alleged spear-phishing email intended to resemble a real email from the United States Agency for International Development.
A screenshot with redacted information shows an alleged spear-phishing email intended to resemble a real email from the United States Agency for International Development.

Geneva summit: Biden to meet with Putin on June 16 in Switzerland

What is Nobelium?

"These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts," Burt, who is Microsoft's vice president of customer security and trust, wrote in the post.

Microsoft said Nobelium is the same group responsible for the SolarWinds hack, a sweeping cyberattack that compromised at least half a dozen U.S. federal agencies including the Department of Homeland Security and Energy Department, as well as thousands of companies in the private sector. U.S. intelligence agencies believe the SolarWinds hack is the work of SVR, Russia's Foreign Intelligence Service.

Biden last month expelled Russian diplomats and announced new sanctions on Russia in retaliation for the massive SolarWinds hacking operation, which began in early 2020 but was only discovered in December that same year. GCHQ, Britain's National Cyber Security Centre, also believes the Kremlin was likely behind the SolarWinds breach.

Russia denies any involvement in the SolarWinds hack, but SVR director Sergei Naryshkin said in mid-May that he was "flattered" by the accusations from Washington and London. Russia has not commented on the new Nobelium hacking allegations.

SolarWinds: Russia expels US diplomats in response to Washington's similar action

Microsoft did not disclose precisely how successful the new breach by Nobelium was, saying only that "many of the attacks targeting our customers were blocked automatically." It added that "Windows Defender is blocking the malware involved in this attack." Microsoft said the cyberattack operation involved sending phishing emails made to resemble legitimate ones, but engineered to deliver harmful files.

"We have no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services," it said.

The assault appeared largely aimed at U.S. and international humanitarian think tanks, consultancies and agencies who have been critical of Russia's crackdown on democracy activists such as Alexey Navalny, who was jailed in Russia in February for breaking parole conditions despite being in Germany where he was receiving treatment for poisoning with a Russian-made military grade nerve agent called Novichok.

'Putin is turning his main threat into a martyr': 'Will Russia's attack on Alexei Navalny, journalists and 5,700 detained Russians backfire?

Phishing attempt included Trump 'election fraud' emails as lure

In one example of the attempted phishing breach highlighted by Microsoft, an email that appears to originate from a USAID email account claims that "Donald Trump has published new emails on election fraud." If the recipient of that email were to click on the link supplied it would place malicious files on the user's computer, Microsoft said.

The technology giant said Nobelium was able to launch the new assault after gaining access to an email marketing service used by USAID, or the United States Agency for International Development. USAID is the main American government agency responsible for delivering foreign civilian aid and development assistance. It is an independent agency, but formally administered by the State Department.

USAID's acting spokesperson Pooja Jhunjhunwala said the agency was "aware of potentially malicious email activity" and that a "forensic investigation into this security incident is ongoing." The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, said: "We are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims."

Jamil Jaffer, a former Associate White House Counsel to President George W. Bush and now an executive at IronNet Cybersecurity, which advises companies on how to defend themselves against hacking, said in emailed comments that the new assault reported by Microsoft "could provide the Russians with sustained access to (and intelligence on) all sorts of third parties that the U.S. government works with through" USAID.

The White House has not commented.

Terry Thompson, an expert in cybersecurity at Johns Hopkins University, described the suspected state-sponsored SolarWinds hack as "one of the most devastating cyberattacks in history." But the U.S. has also been contending with what appears to be increasingly bold assaults from private Russia-based cyberattack gangs.

The FBI believes, for example, that the main culprit of a ransomware attack called DarkSide that in early May shutdown Colonial Pipeline, the U.S.'s largest fuel pipeline, is a Russian cybercrime criminal network that operates by the same name.

Biden-Putin meeting: Add this to the list?

The scheduled June 16 face-to-face encounter between Biden and Putin in Switzerland will take place against the backdrop of a long tense relationship between Washington and Moscow that is off to a rocky start under the Biden administration.

White House press secretary Jen Psaki said no formal preconditions or talking points have been set for the meeting. However, in addition to allegations over the Kremlins's tacit or explicit endorsement of hacking attacks, the agenda will almost certainly extend to Russia's territorial aggressions in neighboring Ukraine, a forced diversion this week of a Lithuania-bound commercial flight by Russian-ally Belarus so that the latter could arrest a dissident-journalist, and Navalny's ongoing detention.

Opinion: To face Russia and Vladimir Putin, Joe Biden needs a smart strategy

The summit is likely also to touch on Russia's work on a gas pipeline called Nord Stream 2 that the U.S. has determined is a threat to European energy security, efforts by both nations to stem the coronavirus pandemic, and assessments by U.S. intelligence agencies that Russia is the main suspect in connection with a group of U.S. diplomats and government employees suffering from "Havana Syndrome," a mysterious neurological condition whose symptoms include headaches, tinnitus and balance issues.

The syndrome, potentially the result of directed microwave energy that could be part of a futuristic weapon possibly under development by Russia, was first discovered at the U.S. embassy in Cuba in 2018. Russia adamantly denies any involvement. Unexplained illnesses connected to the syndrome have since expanded to U.S. government workers and their families in China, Western Europe and even in the U.S.

This article originally appeared on USA TODAY: SolarWinds hackers, linked to Russia, target USAID email accounts