Cyberattack against 3,000 email accounts alert 0:47
(CNN Business) -
The hackers behind one of the worst data breaches to ever hit the United States government launched a new global cyber attack against more than 150 government agencies, think tanks and other organizations, according to Microsoft.
The group, which Microsoft calls "Nobelium," targeted 3,000 email accounts at various organizations this week, most of which were in the United States, the company said in a blog post Thursday.
Modus operandi
Microsoft believes the hackers are part of the same Russian group behind last year's devastating attack on SolarWinds, a software vendor, which targeted at least nine US federal agencies and 100 companies.
Cybersecurity has been a major focus for the US government after revelations that hackers had put malicious code in a tool published by SolarWinds.
A ransomware attack that shut down one of the most important pieces of America's energy infrastructure - the Colonial Pipeline - earlier this month has only heightened the sense of alarm.
That attack was carried out by a criminal group originating in Russia, according to the FBI.
advertising
Microsoft said that at least a quarter of the targets of this week's attacks were related to international development, humanitarian and human rights work, in at least 24 countries.
What the evidence from the cyberattack shows to FireEye 1:26
The company noted that Nobelium launched the attack by gaining access to a Constant Contact email marketing account used by the United States Agency for International Development (USAID).
"These attacks appear to be a continuation of Nobelium's multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts," the company said.
Reactions
USAID Acting Spokesperson Pooja Jhunjhunwala said Friday that the agency was aware of "potentially malicious email activity" from a compromised Constant Contact marketing account.
A forensic investigation into the incident is underway, Jhunjhunwala added.
For their part, the White House National Security Council and the United States Cybersecurity and Infrastructure Security Agency (CISA) are aware of the incident, according to spokesmen.
CISA is "working with the FBI and USAID to better understand the scope of the engagement and assist potential victims," a spokesperson said.
By gaining access to the USAID account, the hackers were able to send phishing emails that Microsoft said "looked authentic, but included a link that, when clicked, inserted a malicious file" that allowed hackers to access computers through a back door.
"This backdoor could allow a wide range of activities, from stealing data to infecting other computers on a network," Microsoft said.
One of the fake emails that appeared to come from USAID included an authentic return address.
The email was presented as a "special alert" inviting recipients to click on a link to "view documents" from former President Donald Trump on voter fraud.
US sends more humanitarian aid to Venezuela 1:10
The tracking
Microsoft said that many of the attacks were automatically blocked.
The company is notifying customers that they were attacked and said it "has no reason to believe that these attacks involve any exploits or vulnerabilities in Microsoft products or services."
A Constant Contact spokesperson said the company is "aware that the account credentials of one of our customers have been compromised."
The event was described as an "isolated" incident.
"We have temporarily deactivated the affected accounts while working in cooperation with our client, who works with law enforcement," added the spokesperson.
At the time of the attack on SolarWinds, US intelligence and law enforcement agencies said the group responsible "probably originated in Russia", adding that the attack was believed to be an act of espionage.
Microsoft reiterated those alleged motivations in its blog post Thursday, saying that "when combined with the attack on SolarWinds, it is clear that part of Nobelium's playbook is to gain access to trusted technology providers and infect their customers."
Microsoft finally gets rid of its most hated product
"By leveraging software updates and now mass email providers, Nobelium increases the chances of collateral damage in spying operations and undermines trust in the technology ecosystem," the company said.
Russia
The latest disclosure shows how Russia has not been intimidated by recent US efforts to hold the Kremlin accountable and bolster cybersecurity after the SolarWinds campaign, said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
"The Russians have a campaign plan for massive attacks on American targets, for which they have no incentive to stop," Lewis said.
“They are not afraid of the response from the United States.
They are testing the new administration.
How should Biden act with Russia in international politics?
2:41
Kremlin spokesman Dmitry Peskov declined to comment on the details of Microsoft's allegations on Friday.
«To answer your question, we must first answer the following: which groups?
Why are they linked to Russia?
Who attacked what?
What did this lead to?
What was the attack itself?
And how does Microsoft know?
these questions are answered, we can think about the answer [to your question], "Peskov told CNN in a conference call with journalists.
He added that he does not believe the accusations affect the upcoming summit between US President Joe Biden and Russian President Vladimir Putin.
- Anna Chernova, Zahra Ullah, Jennifer Hansler, Brian Fung, and Alex Marquardt contributed to this article.
CyberattacksMicrosoftComputer hackers
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/WQEEUVRP3BB57M7LND37U7VREE.png)
