Hackers used the U.S. Agency for International Development's email marketing account to send messages that looked legitimate — but links in the email exposed recipients to malicious software, Microsoft says.

Caption

Hackers used the U.S. Agency for International Development's email marketing account to send messages that looked legitimate — but links in the email exposed recipients to malicious software, Microsoft says. / Screen grab by Microsoft

Updated May 28, 2021 at 12:50 PM ET

The same Russian hackers who carried out the SolarWinds attack and other malicious campaigns have now attacked groups involved in international development, human rights and other issues, according to Microsoft. The company said the breach began with a takeover of an email marketing account used by the U.S. Agency for International Development.

Hackers sent malicious emails from the agency's account. Screenshots show the note purports to be a special alert, highlighting the message, "Donald Trump has published new documents on election fraud."

News of the attack comes less than three weeks before President Biden is slated to hold a summit with Russian President Vladimir Putin. The White House said this week that Biden wants to "restore predictability and stability" in the two countries' relationship. Press secretary Jen Psaki issued that statement on Tuesday — the same day the hackers sharply escalated their attack, according to Microsoft.

Russian presidential press secretary Dmitry Peskov denied his country is involved, saying Microsoft was making an "unfounded accusation," according to the Interfax news agency.

Here's what we know about the new hacking campaign:

The hackers

The new cyber campaign was orchestrated by a group Microsoft calls Nobelium, though it may be better known as APT29. The group is thought to be run out of the Russian Foreign Intelligence Service, or SVR.

The tech company said recipients were sent emails that looked to be from USAID — but which contained links that could install malicious code, giving hackers wide-ranging access.

The messages were sent from USAID's account with Constant Contact, a large email marketing and branding company. Microsoft said emails containing malicious URLs were sent to roughly 3,000 accounts at more than 150 organizations.

"Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020," Microsoft said. "These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts."

Russia has denied responsibility for the SolarWinds attack, which was also a supply chain attack, exploiting government agencies' relationship with a private company. The U.S. hit Russia with sanctions over SolarWinds last month, accusing the country of an attack that breached elements of the U.S. Homeland Security and Treasury departments.

The initial targets

USAID carries out missions worldwide that range from promoting democracy and human rights to backing economic development and helping populations in crisis.

Acknowledging the attack in a statement sent to NPR, USAID acting spokesperson Pooja Jhunjhunwala confirmed that the hack originated in a compromised email marketing account.

"The forensic investigation into this security incident is ongoing," she said. USAID is now working with the Cybersecurity and Infrastructure Security Agency, along with DHS (CISA's parent agency) and other agencies, Jhunjhunwala added.

Constant Contact, a Massachusetts company that has more than 600,000 customers worldwide, said the attack is an isolated incident.

"We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer's Constant Contact accounts," a company spokesperson told NPR. The company said it has temporarily disabled the affected accounts, adding that it's "working with our customer, who is working with law enforcement."

Note: Both Microsoft and Constant Contact are financial supporters of NPR.

How the hack worked

The initial phases of the attack began in January, Microsoft said. After a period of probing and experimentation, the company said, the hackers used a spear-phishing campaign to launch a large-scale attack on Tuesday.

The bogus email sent from the USAID account includes "a legitimate lure referencing foreign threats to the 2020 U.S. Federal Elections," said Volexity, a cybersecurity firm that issued a report about the security threat on Thursday.

From there, all the hackers needed was for someone to click the link: The attackers are "very adept and very skilled at turning a foothold or an initial entry point into a wider breach," Volexity's president, Steven Adair, told NPR.

Like many similar hacks, the attack relies on several essential steps.

Gaining access: Using Constant Contact's emailing tools, the hackers send legitimate-looking messages from spoofed email addresses that include a link. People who click that link are sent to a legitimate related service — but they're also redirected to malicious infrastructure controlled by Nobelium, Microsoft said.

Installing malware: A payload of malware is delivered to target computers, is installed and then executes, giving the hackers access.

Command and control: Upon being engrained in users' computers, the malware activates a beacon that sends attackers a notice to alert them to a successful intrusion. The hackers can then extract data and deliver additional malware.

The high-volume email campaign prompted automatic systems to block many of the emails and mark them as spam, Microsoft said. But the company added that the earliest emails that were sent might have been successfully delivered.

The full scope of the attack — the compromised systems, and affected accounts — is not yet known.

The U.S. response

The Biden administration has not yet laid blame for the attack. The White House National Security Council said it's monitoring the incident, an NSC spokesperson said Friday.

So far, the impact of the new phishing incident seemed to be limited, the NSC spokesperson said, noting that Microsoft had said that many of the phishing emails sent through the service used by USAID had likely been blocked by automated systems.

The spokesperson spoke on condition of anonymity about the incident, noting that the U.S. intelligence community has not said who it believes is responsible.

The White House had no immediate comment on Friday on whether the new hack might affect plans for the upcoming summit between Biden and Putin.

The Biden administration said it's pushing forward on a plan to improve federal agencies' security in computer networks and software — part of an executive order issued after the SolarWinds hack.

In a statement on the latest attack, Sen. Mark R. Warner, D-Va., chairman of the Senate Select Committee on Intelligence, said, "We have to step up our cyber defenses, and we must make clear to Russia – and any other adversaries – that they will face consequences for this and any other malicious cyber activity."

Copyright 2021 NPR. To see more, visit https://www.npr.org.