Russian-backed cyber spies are launching a new hack through the US aid agency, Microsoft reveals

0

Kremlin-backed cyber spies behind the SolarWinds hack launched a daring spear phishing campaign against US government agencies this week, Microsoft has revealed.

An email from the State Department’s own Agency for International Development (USAID) was sent to more than 3,000 accounts from 150 different organizations, many of which focused on human rights or humanitarian aid.

It contained a link that, when clicked, would implant code on the target’s computer that would give the hackers unfettered access to their files, from “ stealing data to infecting other computers on a network, ” said Microsoft Vice President Tom Burt.

Some of the emails were barely subtle, including one that said, “USAID ALERT: Donald Trump has published new documents on election fraud.” It provided a link to ‘view documents’, which caused the users to download the Trojan virus.

Microsoft said the hack was underway and malicious emails have been sent this week.

The discovery of the latest breach comes just three weeks before President Joe Biden will meet Vladimir Putin in Geneva amid heightened tensions already fueled by the SolarWinds hack that came to light in December.

The email contained a link that, when clicked, would implant a code on the target's computer that would give the hackers unfettered access to their files, from 'stealing data to infecting other computers on a network said Microsoft Vice President Tom Burt (photo: the example above uses a claim about former President Donald Trump)

The email contained a link that, when clicked, would implant a code on the target’s computer that would give the hackers unfettered access to their files, from ‘stealing data to infecting other computers on a network said Microsoft Vice President Tom Burt (photo: the example above uses a claim about former President Donald Trump)

President Joe Biden walks away from Marine One on the Ellipse near the White House on Thursday

Russian President Vladimir Putin will lead a meeting on economic issues on Wednesday via a video conference at the Bocharov Ruchei residence in the Black Sea resort of Sochi.

The discovery of the latest breach comes just three weeks before President Joe Biden will meet Vladimir Putin in Geneva amid heightened tensions already fueled by the SolarWinds hack that came to light in December.

That attack had been going on for nine months before it was discovered. It exposed at least nine US government agencies, including the Justice Department, as well as some of the largest firms on Wall Street.

Biden said last month that he could have been much more punitive to Moscow, but chose to act “ proportionately ” because he didn’t want to “ start a cycle of escalation and conflict with Russia. ”

But this spearphishing campaign underscores that whatever sanctions the Biden government has imposed has not stopped the Kremlin from deploying its hackers.

In fact, this time around, the attack was more sophisticated and brutal, using a USAID email that, unlike regular phishing emails, targets users more likely to believe it to be real.

A spokesperson for the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security told the New York Times last night that it was “ aware of the potential compromise ” at USAID and that it was “ working with the FBI and USAID to determine the extent of the compromise and assist potential victims. ‘

Microsoft called the group behind the hack Nobelium, the same one responsible for the SolarWinds breach.

Last month, the US government explicitly said that the SVR, one of the Soviet KGB’s espionage successors, had carried out the SolarWinds cyber attack.

Microsoft VP Burt did not say how many of the phishing emails led to successful break-ins.

But cybersecurity firm Volexity, which also followed the campaign, said the relatively low detection rates of the phishing emails suggested it was “ likely to have some success in breaching targets. ”

Burt said the campaign appeared to be a continuation of the Russian hackers’ many efforts to “ target government agencies involved in foreign policy as part of intelligence gathering. ”

He said the targets covered at least 24 countries.

The hackers gained access to USAID’s account with Constant Contact, an email marketing service, Microsoft said.

Basically, the hackers were able to get hold of a USAID email account through the third party software they use instead of hacking the government agency directly.

The authentic-looking phishing emails of May 25 claim to contain new information about election fraud allegations in 2020 and contain a link to malware that gives hackers “ permanent access to compromised machines. ”

When a user receives the email, he clicks on a link that appears to send him to a legitimate website, but this site then downloads an ISO file (disk image) to his computer.  This disk image is then mounted by the hackers, which means that it opens as if it were a USB drive or CD and the malicious code was installed on the PC.  It installs a Trojan virus that provides unobstructed access to the target's machine and network

When a user receives the email, he clicks on a link that appears to send him to a legitimate website, but this site then downloads an ISO file (disk image) to his computer. This disk image is then mounted by the hackers, which means that it opens as if it were a USB drive or CD and the malicious code was installed on the PC. It installs a Trojan virus that provides unobstructed access to the target’s machine and network

Microsoft said in a separate blog post that the campaign is underway and stemmed from several waves of spear-phishing campaigns it first discovered in January, which escalated into this week’s mass mailings.

While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks and at least nine U.S. government agencies, was extremely covert and continued for most of 2020 before being discovered by cybersecurity firm FireEye in December, this campaign is what cybersecurity researchers have to say. say it was easy to detect.

Microsoft noted the two mass distribution methods used: The SolarWinds hack leveraged the supply chain of software updates from a trusted technology vendor, while this campaign piggybacked on a mass email provider.

With either method, the company said, the hackers are undermining confidence in the technology ecosystem.

.