SolarWinds Hackers Strike State Department Aid Agency in Russian Cyberattack Escalation

Hackers linked to Russia's main intelligence agency seized an email system used by the U.S. State Department's international aid agency to breach computer networks of human rights groups and other government agencies, Microsoft said on Thursday.

The revelation comes just three weeks before President Joe Biden is set to meet Russian counterpart Vladimir Putin at a tense summit in Geneva.

Microsoft said in a blog on Thursday it had uncovered a "wide-scale malicious email campaign" operated by Nobelium, the Russian group behind behind the attacks on SolarWinds customers in 2020.

The attacks this week targeted government agencies, think tanks, consultants, and non-governmental organizations, Microsoft said.

The computing company said it had been monitoring the campaign since January and it evolved over a series of waves "demonstrating significant experimentation."

It added that the cyber-campaign escalated on May 25, after Nobelium burrowed into a marketing account used by the United States Agency for International Development (USAID), and from there launched phishing attacks on many other organizations. With this latest attack, Nobelium attempted to target approximately 3,000 individual accounts across more than 150 organizations.

The recent hack appeared to originate from authentic USAID email addresses, masquerading as an alert from the development agency.

"Due to the high-volume campaign, automated systems blocked most of the emails and marked them as spam. However, automated systems might have successfully delivered some of the earlier emails to recipients," Microsoft said.

Microsoft said successful deployment of these payloads enables the hackers to "achieve persistent access to compromised systems." A successful breach could enable Nobelium to move through the network to search for targets and deliver additional malware.

The tech giant noted that the hacking was still "an active incident," and said it would post more details on its blog as they become available.

Microsoft warned that Nobelium's hacking tactics had become more sophisticated.

"Due to the fast-moving nature of this campaign and its perceived scope, Microsoft encourages organizations to investigate and monitor communications matching characteristics described in this report and take the actions described below in this article," Microsoft said in its statement.

"We continue to see an increase in sophisticated and nation-state-sponsored attacks and, as part of our ongoing threat research and efforts to protect customers, we will continue to provide guidance to the security community on how to secure against and respond to these multi-dimensional attacks."

Microsoft urged companies to turn on cloud-delivered protection in its Microsoft Defender Antivirus software and enable network protection. It also encouraged multifactor authentication to mitigate compromised credentials, and for all customers download and use password-less solutions, like Microsoft Authenticator, to secure accounts. It also urged individuals to use two-step verification to strengthen security.

Nobelium has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. The hacking in December 2020 of technology company SolarWinds was described by Microsoft President Brad Smith as "the largest and most sophisticated attack the world has ever seen." The U.S. State Department, NATO, the British government, the European Parliament, Microsoft and others were all affected by the breach.

The Biden administration, as well as the U.K., has blamed it on Nobelium and Moscow. On May 18, Russia's spy chief denied responsibility for the cyberattack, but said he was "flattered" by the accusations.

The U.S. and Britain have blamed Russia's Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for helping orchestrate the SolarWinds hack.

The U.S. slapped sanctions on Russia in April, covering 46 individuals and entities implicated in Moscow's annexation of Crimea. But Biden fell short of designating the company building the controversial Russian gas pipeline Nord Stream 2, which may allow the Eastern European country to wield greater influence on the continent.

The data breaches and Ukraine will be likely on the agenda when Biden meets Putin in Switzerland on June 16, as well as the poisoning and jailing of opposition leader Alexei Navalny.

Stock computer hacker photo
A stock photo of a computer hacker. Hackers connected to Russia’s main intelligence agency seized an email system used by the U.S. State Department’s international aid agency to enter computer networks of human rights groups that have been critical of President Vladimir Putin, Microsoft said on Thursday. Sean Gallup/Getty