The Russian hackers behind the SolarWinds campaign have escalated their attacks on U.S. federal agencies, think tanks and non-governmental organizations as part of intelligence gathering efforts on behalf of their government, Microsoft Corp. said late Thursday.
In a blog post, Microsoft Vice President Tom Burt said this past week’s attack — which is still ongoing — granted access to about 3,000 email accounts at more than 150 organizations by infiltrating an digital marketing service used by the U.S. Agency for International Development (USAID), called Constant Contact.
The hackers distributed phishing emails, among them “Special Alerts,” declaring that former President Donald J. Trump had published new documents on election fraud, and inviting the user to view them.
When clicked, a malicious file was inserted that the hackers could use to distribute a backdoor, granting the ability to steal data and infect other computers on the network.
While U.S. organizations bore the brunt of the attacks, victims in at least 24 other countries were also targeted, Burt wrote.
The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security posted news of the breach to its website and encouraged users to review Microsoft’s reporting and “apply the necessary mitigations.” Waltham, Massachussetts-based Constant Contact has made no public comment, and calls outside of business hours were not immediately answered.
Burt said it was clear that part of the hackers’ playbook was gaining access to trusted providers to infect their customers. Similarly in the SolarWinds campaign discovered in December 2020, hackers installed malicious code in updates for software belonging to Texas-based SolarWinds Corp., which was sent to tens of thousands of its customers, including nine federal agencies and at least 100 companies.
Accessing software updates and mass email providers gives the hackers increased chances of “collateral damage in espionage operations and undermines trust in the technology ecosystem,” Burt said.
The U.S. government said last month that SolarWinds was the work of SVR, the Russian foreign intelligence service, and said it also went by the names of APT29, which according to British intelligence spent much of last year hacking foreign governments for vaccine research, and Cozy Bear, which was involved in the 2016 hack of the Democratic National Committee.
In April, President Joseph Biden ordered sanctions against 32 Russian individuals and entities, including six companies that provide support to the Kremlin’s hacking operations. The U.S. also moved to expel 10 Russian diplomats working in Washington, including some intelligence officers. Biden and Putin are set to meet in Geneva in a little over two weeks’ time.