Hackers connected to Russia’s main intelligence agency secretly seized an email system used by the Foreign Ministry’s international aid agency to dig into the computer networks of human rights groups and other organizations that President Vladimir V. Microsoft Corporation announced on Thursday that they were critical of Putin.

The breach was only discovered three weeks before President Biden’s planned meeting with Putin in Geneva and at a moment of increasing tensions between the two nations – also due to a series of increasingly sophisticated cyberattacks from Russia.

The newly uncovered attack was also particularly bold: By violating the systems of a supplier used by the federal government, the hackers only this week sent e-mails from more than 3,000 real-looking accounts addressed to more than 150 organizations that regularly received communications from the United States Agency for International Development.

Code was implanted in the email that gave the hackers unlimited access to the recipient’s computer systems, from “stealing data to infecting other computers on a network”. Tom Burt, a Microsoft vice president, wrote on Thursday evening.

Last month, Mr. Biden announced one Set of new sanctions about Russia and the eviction of diplomats for a sophisticated hacking operation, called SolarWindswho used novel methods to injure at least seven government agencies and hundreds of large American corporations.

This attack went undetected by the US government for nine months until it was discovered by a cybersecurity company. In April, Mr Biden said he could have reacted a lot stronger, however “Chose to be proportionate” because he did not want to “start a cycle of escalation and conflict with Russia”.

However, the Russian response appears to have been an escalation. The malicious activity had only started for the past week. This suggests that the sanctions and any additional covert action by the White House – part of a strategy to create “visible and invisible” costs for Moscow – have not stifled the Russian government’s appetite for disruption.

A spokesman for the agency for cybersecurity and infrastructure security in the Department of Homeland Security said late Thursday that the agency is “aware of the possible compromise” with the agency for international development and is working “with the FBI and USAID to better understand it. ” Level of compromise and support for potential victims. “

Microsoft identified the Russian group behind the attack as Nobelium and said it was the same group responsible for the SolarWinds hack. Last month, the US government explicitly stated that SolarWinds was the work of the SVR, one of the most successful Soviet-era spin-offs of the KGB

The same agency was involved in the National Democratic Committee hacking attacks in 2016 and previously in attacks on the Pentagon, White House email system, and State Department unclassified communications.

It’s gotten increasingly aggressive and creative, say federal officials and experts. The SolarWinds attack was never discovered by the US government and was carried out through code implanted in network management software that is widely used by the government and private companies. When customers updated SolarWinds software – much like an iPhone would do overnight – they were unwittingly letting in an intruder.

The victims last year included the ministries of homeland security and energy, as well as nuclear laboratories.

When Mr Biden took office, he ordered a study into the SolarWinds case, and officials have been working to prevent future supply chain attacks where adversaries infect software used by federal agencies. This is similar to what happened when Microsoft’s security team caught the hackers using a widely used Constant Contact email service to send malicious emails that appeared to be from real-world international development agency addresses.

But the content was barely subtle at times. In an email sent through the Constant Contact service on Tuesday, the hackers highlighted a message claiming that “Donald Trump had published new emails about election fraud.” The email contained a link that, when clicked, places malicious files on the recipients’ computers.

Microsoft found that the attack was “significantly” different from the SolarWinds hack and used new tools and craftsmanship to avoid detection. It was said that the attack was still ongoing and that the hackers continued to send spearphishing emails with increasing speed and reach. Because of this, Microsoft took the unusual step of naming the agency whose email addresses were used and posting examples of the spoofed email.

Essentially, the Russians got into the Agency for International Development’s email system by walking around the agency and going straight to their software suppliers. Constant Contact manages bulk emails and other communications on behalf of the aid organization.

“Nobelium launched this week’s attacks by gaining access to USAID’s Constant Contact account,” wrote Microsoft’s Burt. Constant contact could not be reached for comment.

Microsoft, like other large cybersecurity companies, maintains a large network of sensors to search for malicious activity on the Internet and is often a target itself. It was instrumental in uncovering the SolarWinds attack.

In this case, Microsoft reported, the hackers’ goal was not to track down the State Department or the aid agency, but rather to use their connections to get into groups that work on the ground – and in many cases Putin’s biggest critics are strong .

“At least a quarter of the target organizations were involved in international development, humanitarian and human rights work,” wrote Burt. Although he did not name them, many such groups have exposed Russian actions against dissidents or protested the poisoning, conviction and imprisonment of Russia’s most prominent opposition leader, Alexei A. Navalny.

The attack suggests that Russian intelligence agencies are stepping up their campaign, perhaps to demonstrate that the country would not step down in the face of sanctions, the eviction of diplomats and other pressures.

Mr Biden raised the SolarWinds attack on a phone call with Mr Putin last month, telling him that the sanctions and expulsions are evidence that his government would no longer tolerate an accelerated pace of cyber operations.

Mr Putin has denied Russia’s involvement, and some Russian news outlets have argued that the United States launched the attack against itself.

At the same time, the White House also imposed a number of new sanctions on Russian individuals and assets, including new restrictions on buying Russia’s national debt that will make it difficult for Russia to raise money and support its currency.

“This is the beginning of a new US campaign against malicious behavior by Russia,” Treasury Secretary Janet L. Yellen said at the time.

Tensions over the housing of cybercriminals in Russia escalated significantly this month after a ransomware group held the hostages Corporate networks at Colonial Pipeline. The attack forced the company to shut down a pipeline that brings nearly half of its gasoline, diesel and jet fuel to the east coast, sparking a spike in gas prices and panic buying at the pump.

Mr Biden said two weeks ago: “We spoke in direct communication with Moscow about the need for the responsible countries to take decisive action against these ransomware networks. ”

Source link

Leave a Reply