According to Microsoft, the state-backed Russian cyber spies behind the SolarWinds hacking effort started a targeted spear-phishing attack this week on US and foreign government organizations and think tanks using an email marketing account of the US Agency for International Development.
Microsoft Vice President Tom Burt stated in a blog post late Thursday that the campaign targeted around 3,000 email accounts at more than 150 different organizations, with at least a quarter of them involved in international development, humanitarian, and human rights work.
It did not specify how many of the attempts resulted in successful intrusions.
In a post, the cybersecurity firm Volexity, which also followed the campaign but has less visibility into email systems than Microsoft, concluded that the attacker was “likely having some success in breaching targets” due to the low detection rates of the phishing emails.
The campaign, according to Burt, looked to be a continuation of Russian hackers’ multiple efforts to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He added that the targets covered at least 24 countries.
According to Microsoft, the hackers got access to USAID’s account at Constant Contact, an email marketing service. The phishing emails, dated May 25, claim to provide new information on 2020 election fraud charges and include a link to maware that allows the attackers to “achieve persistent access to compromised machines.”
In a separate blog post, Microsoft stated that the attack is ongoing and that it progressed from numerous waves of spear-phishing campaigns first discovered in January and progressed to the mass-mailings this week.
While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks as well as at least nine U.S. government agencies, was extremely stealthy and went undetected for the most of 2020 before being discovered in December by cybersecurity firm FireEye, this campaign is what cybersecurity experts refer to as noisy. It’s simple to detect.
According to Microsoft, the two mass distribution methods used — the SolarWinds attack exploited the supply chain of a trusted technology supplier’s software updates — piggybacked on a mass email provider. The hackers, according to the company, destroy faith in the technology ecosystem using both approaches.