SolarWinds Hackers Sent Malware Messages on 2020 Election from U.S. Agency Email Account

Russian-based hackers behind the SolarWinds attacks sent email containing malware to over 3,000 accounts in more than 150 organizations from a marketing account of the U.S. Agency for International Development, the Associated Press reported.

The phishing emails were sent May 25 and claimed to contain new information on 2020 election fraud claims and included a link that allowed hackers to "achieve persistent access to compromised machines."

According to the Associated Press, Microsoft said the latest hacking attempts are ongoing and have evolved since the first campaigns were detected in January.

For more reporting from the Associated Press, see below.

Cyber Security Sign
A "Cyber Security" sign is displayed in the window of a computer store on December 18, 2020, in Arlington, Virginia. - A devastating cyberattack on US government agencies has also hit targets worldwide, with the list of victims still growing, according to researchers, heightening fears over computer security and espionage. Olivier Douliery/Getty Images

Microsoft did not say what portion of the attempts may have led to successful intrusions but said many of those targeting Microsoft customers were blocked automatically. "We're also in the process of notifying all of our customers who have been targeted," Burt said.

The cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in a post that relatively low detection rates of the phishing emails suggest the attacker was "likely having some success in breaching targets."

Burt said the campaign appeared to be a continuation of multiple efforts by the Russian hackers to "target government agencies involved in foreign policy as part of intelligence gathering efforts." He said the targets spanned at least 24 countries.

Separately, the prominent cybersecurity firm FireEye said it has been tracking "multiple waves" of related spear-phishing by the hackers from Russia's SVR foreign intelligence agency since March — preceding the USAID campaign — that used a variety of lures including diplomatic notes and invitations from embassies.

USAID and Constant Contact, an email marketing service used by the USAID account, provided no additional detail on how the hackers gained access. USAID spokeswoman Pooja Jhunjhunwala said Friday that a forensic investigation was ongoing and the agency was working with the Cybersecurity and Infrastructure Security Agency. Constant Contact spokeswoman Kristen Andrews called it an "isolated incident," with the impacted accounts temporarily disabled.

While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks as well as at least nine U.S. government agencies, was supremely stealthy and went on for most of 2020 before being detected in December by FireEye, this campaign is what cybersecurity researchers call noisy, or easy to detect.

And though "the spear phishing emails were quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy," FireEye's VP of analysis, John Hultquist, said in a statement Friday.

He said the incident "is a reminder that cyber espionage is here to stay."

Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the supply chain of a trusted technology provider's software updates; this campaign piggybacked on a mass email provider.

With both methods, the company said, the hackers undermine trust in the technology ecosystem.

As in the SolarWinds campaign, the exploit of the USAID marketing email was first publicized by private sector actors.

U.S. Agency for International Development
FILE - In this April 1, 2014, file photo, the headquarters for the U.S. Agency for International Development is seen in Washington. The state-backed Russian cyber spies behind the SolarWinds hacking campaign launched a targeted spear-phishing assault on U.S. and foreign government agencies and think tanks using an email marketing account of the U.S. Agency for International Development, Microsoft said, late Thursday, May 27, 2021. J. David Ake/Associated Press