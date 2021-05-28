Russia appears to be implementing hacking system used by US aid agency
Hackers linked to Russia’s main intelligence agency surreptitiously seized an email system used by the State Department’s International Aid Agency to infiltrate the computer networks of human rights groups. man and other such organizations that have criticized President Vladimir V. Putin, Microsoft Corporation has revealed. Thursday.
The discovery of the breach comes just three weeks before President Biden met Mr. Putin in Geneva, and at a time of heightened tension between the two countries, in part due to a series of increasingly sophisticated cyber attacks emanating from from Russia.
The recently disclosed attack was also particularly bold: by breaking into the systems of a provider used by the federal government, hackers sent out genuine-looking emails. to over 3,000 accounts in over 150 organizations that regularly receive communications from the United States Agency for International Development. These emails were only sent this week, and Microsoft said it believed the attacks were continuing.
The email was implanted with code that would give hackers unrestricted access to recipients’ computer systems, from “data theft to infecting other computers on a network.” Microsoft vice president Tom Burt wrote Thursday evening.
Last month, Mr. Biden announced a series of new sanctions on Russia and the expulsion of diplomats for a sophisticated hacking operation, called SolarWinds, who used new methods to rape at least seven government agencies and hundreds of major US corporations.
This attack went undetected by the US government for nine months, until it was discovered by a cybersecurity company. In April, Mr Biden said he could have responded much more strongly, but “chosen to be proportionate” because he did not want to “start a cycle of escalation and conflict with Russia”.
The Russian response, however, appears to have been escalation. The malicious activity was underway as recently as last week. This suggests that the sanctions and all the additional covert actions by the White House – as part of a strategy to create “visible and invisible” costs for Moscow – have not stifled the Russian government’s appetite for them. disturbances.
A spokesperson for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said Thursday evening that the agency was “aware of the potential compromise” of the International Development Agency and that it “was working with the FBI and the ‘USAID to better understand the extent of the compromise and help potential victims.
Microsoft identified the Russian group behind the attack as Nobelium and said it was the same group responsible for the SolarWinds hack. Last month, the US government explicitly declared SolarWinds to be the work of the SVR, one of the most successful KGB spinoffs of the Soviet era.
The same agency was involved in the 2016 Democratic National Committee hack, and before that, in attacks on the Pentagon, the White House messaging system, and the State Department’s unclassified communications.
He has become increasingly aggressive and creative, according to federal officials and experts. The SolarWinds attack was never detected by the United States government and was carried out using code embedded in network management software that the government and private companies use widely. When customers updated SolarWinds software, much like updating an iPhone overnight, they let an invader in without knowing it.
Among the victims last year were the departments of Homeland Security and Energy, as well as nuclear laboratories.
When Mr Biden came to power, he commissioned a study of the SolarWinds case, and officials worked to prevent future “supply chain” attacks, in which adversaries infect software used by federal agencies. . It’s similar to what happened in this case, when Microsoft’s security team surprised the hackers by using a widely used email service, provided by a company called Constant Contact, to send emails. malicious malware that appeared to come from genuine Agency for International Development addresses.
But the content was sometimes barely subtle. In an email sent on Tuesday via the Constant Contact service, the hackers highlighted a message claiming that “Donald Trump has posted new emails about voter fraud.” The email contained a link that, when clicked, drops malicious files onto the recipients’ computers.
Microsoft noted that the attack differed “considerably” from the SolarWinds hack, by using new tools and commercial tools in an apparent effort to avoid detection. He said the attack was still ongoing and hackers continued to send out spear-phishing emails, with increasing speed and reach. That’s why Microsoft took the unusual step of naming the agency whose email addresses were being used and posting samples of the fake email.
Essentially, the Russians entered the International Development Agency’s email system by going around the agency and directly attacking its software vendors. Constant Contact handles mass emails and other communications on behalf of the aid agency.
“Nobelium launched this week’s attacks by accessing USAID’s Constant Contact account,” Microsoft’s Burt wrote. Constant Contact could not be reached for comment.
Microsoft, like other large companies involved in cybersecurity, maintains a large network of sensors to look for malicious activity on the Internet, and is often a target itself. He was deeply involved in the exposure of the SolarWinds attack.
In this case, Microsoft reported, the hackers’ goal was not to attack the State Department or the aid agency, but to use their connections to break into groups that work on the pitch – and in many cases are among Mr Putin’s most important. powerful critics.
“At least a quarter of the organizations targeted were involved in international development, humanitarian work and human rights,” Mr. Burt wrote. Although he did not name them, many such groups have exposed Russia’s action against dissidents or have protested against the poisoning, conviction and imprisonment of the most notorious opposition leader. from Russia, Alexei A. Navalny.
The attack suggests that Russian intelligence agencies are stepping up their campaign, perhaps to demonstrate that the country will not back down in the face of sanctions, expulsion of diplomats and other pressure.
Mr Biden discussed the SolarWinds attack with Mr Putin during a phone call last month, telling him that the sanctions and expulsions showed his administration would no longer tolerate an increased pace of cyber operations.
Mr Putin has denied Russian involvement, and some Russian news outlets have claimed that the United States has launched the attack on itself.
At the time, the White House also imposed a series of new sanctions on Russian individuals and assets, including new restrictions on the purchase of Russian sovereign debt, which will make it more difficult for Russia to lift. funds and support its currency.
“This is the start of a new American campaign against the malicious behavior of Russia,” Treasury Secretary Janet L. Yellen said at the time.
Tensions over Russia’s hosting of cybercriminals escalated significantly this month after a ransomware group took the hostage. business networks at Colonial Pipeline. The attack forced the company to shut down a pipeline that carries nearly half of the gas, diesel and jet fuel to the east coast, sparking gas prices and panic buying at the pump.
Mr. Biden said two weeks ago that “we have been in direct communication with Moscow regarding the imperative for responsible countries to take decisive action against these ransomware networks.
