Russian hackers behind the "SolarWinds" campaign have intensified their attacks on U.S. federal agencies, think tanks, and non-governmental organizations as part of their efforts to gather intelligence on behalf of the Russian government, Microsoft stated late Thursday. The ongoing attack from last week gave hackers access to approximately 3,000 email accounts across more than 150 institutions by infiltrating a digital marketing service used by the U.S. Agency for International Development (USAID) called "Constant Contact," according to Microsoft Vice President Tom Burt in a blog post.
The hackers distributed phishing emails, including "special alerts" claiming that former President Donald Trump had released new documents regarding election fraud, prompting users to view these documents. When users clicked to see the documents, a malicious file was implemented, allowing the hackers to distribute covert access, which enabled data theft and infection of other computers on the network. Burt noted that while U.S. organizations bore the brunt of the attacks, victims in at least 24 other countries were also targeted.
The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security published news about the breach on its website, urging users to review Microsoft’s reports and "implement necessary damage mitigation measures." Constant Contact, based in Massachusetts, did not provide any public comment and did not respond immediately to after-hours calls.
Burt stated that it was evident part of the hackers’ tactics involved gaining access to trusted service providers to compromise their clients. Similarly, in the SolarWinds campaign discovered in December 2020, hackers installed malicious code in software updates from Texas-based SolarWinds Corporation, which were sent to tens of thousands of its clients, including nine federal agencies and at least 100 companies. Burt added that access to software updates and bulk email providers gives hackers increased opportunities "to cause collateral damage in espionage operations and undermine trust in the public technology system."
Last month, the U.S. government stated that SolarWinds was the work of the Russian Foreign Intelligence Service. According to British intelligence, the Russian Foreign Intelligence Service code-named (APT29) a campaign that took place throughout much of last year targeting foreign governments for vaccine research. They also chose the name "Cozy Bear" for an operation that involved the 2016 breach of the Democratic National Committee.
In April, President Joe Biden ordered sanctions against 32 Russian individuals and entities, including six companies supporting Kremlin hacking efforts. The United States also moved to expel 10 Russian diplomats operating in Washington, some of whom are intelligence officers. It is worth noting that Biden and Putin are scheduled to meet in Geneva in just over two weeks.
