The Russian-backed group reportedly responsible for last year’s sweeping SolarWinds hacks have once again breached a federal agency — this time the U.S. Agency for International Development.
Hackers within the Russian group Nobelium are believed to have accessed USAID’s Constant Contact email marketing service account, according to Microsoft, who published a blog post late Thursday on the attack. Once the group had access to the USAID account, it began a larger intelligence-gathering phishing campaign targeting 3,000 email accounts at more than 150 different organizations, including other agencies, think tanks, contractors and non-governmental organizations.
It’s unclear from the blog post whether the attackers accessed other USAID systems or data. Microsoft did not comment beyond the information in the blogs.
“[T]he actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone,” Microsoft’s Tom Burt wrote in the blog post. “This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network.”
Microsoft said it detected the activity this week and said that its services automatically block many of the attacks, adding that there’s “no reason to believe these attacks involve any exploit against or vulnerability in Microsoft’s products or services.”
Microsoft began tracking the so-called spear-phishing campaign — where an attacker uses social engineering and deception, often via email, to target specific individuals — in February, but the situation escalated in April, the company said, before the USAID emails were sent May 25.
The incident remains active, according to Microsoft, and the company will add more details when they become available.
“Microsoft security researchers assess that the Nobelium’s spear-phishing operations are recurring and have increased in frequency and scope,” the company said in a separate post. “It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.”
The Nobelium group is believed to have been responsible for the SolarWinds attacks that have affected at least nine federal agencies and many more organizations within the contracting base and wider industry. In this latest breach, however, Microsoft says that the group took an approach that “differs significantly” from the SolarWinds campaign, which targeted the firm’s Orion software to access victims’ networks.
News of the ongoing campaign comes as President Joe Biden is set to take a meeting with Russian President Vladimir Putin in Geneva next month as the U.S. looks “to restore predictability and stability to the U.S.-Russia relationship.”
In a statement to FedScoop, USAID acting spokesperson Pooja Jhunjhunwala, said: “The U.S. Agency for International Development (USAID) became aware of potentially malicious email activity from a compromised Constant Contact email marketing account.
“The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).”
A spokesperson for Constant Contact said: “We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts.
“This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement.”