Topline

Microsoft warned Thursday that a hacker group linked to Russia’s intelligence agency broke into the email system used by the U.S. State Department’s foreign aid agency and used it to target several government agencies and non-governmental organizations, signaling continued cyber-escalation by Russia despite being hit with sanctions by the Biden administration.

Key Facts

According to a blog published by Microsoft, ‘NOBELIUM’—the group behind the Solar Winds attack—breached a mass mailing service to masquerade as the United States Agency For International Development (USAID) and send official-looking emails with malicious links to several organizations including human rights groups and think tanks.

The malicious email displays a “usaid.gov” id as the sender which could have led its recipients to believe it was legitimate, yet it contained code that would allow the hackers to gain unlimited access to the recipient’s systems and their network.

The genuine-looking emails were sent out to over 3,000 accounts across more than 150 organizations that regularly receive communications from USAID.

Microsoft executive Tom Burt wrote that at least a quarter of the targeted organizations were “involved in international development, humanitarian, and human rights work.”

The emails were first sent out on May 25 and Microsoft believes the attacks are ongoing.

Crucial Quotes

In his blog post describing the attacks, Burt wrote: “Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organizations,” implying that it was a deliberate attack on groups that have been critical of Russian President Vladimir Putin and his administration.

Tangent

According to the New York Times, a spokesperson for the Department of Homeland Security’s  Cybersecurity and Infrastructure Security Agency (CISA) said that the agency was “aware of the potential compromise” at the USAID and that it was “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”

Key Background

Last month, the Biden administration ordered a series of new sanctions against Russia and expelled several Russian diplomats due to its role in a massive hacking campaign that targeted several federal agencies last year. The operation known as the ‘SolarWinds hack’ used novel methods to burrow into the systems of at least seven government agencies and several major American companies. That attack remained undetected for several months until it was discovered and disclosed by a cybersecurity firm. NOBELIUM, the group that carried out the SolarWinds hack, is believed to have links with Russian’s foreign intelligence agency, SVR. Earlier this month, SVR Director Sergei Naryshkin denied responsibility for the SolarWinds attack but said he was “flattered” by the accusations of being involved in such a sophisticated attack.

Further Reading

Russia Appears to Carry Out Hack Through System Used by U.S. Aid Agency (New York Times)

Microsoft says group behind SolarWinds hack now targeting government agencies, NGOs (Reuters)