What we know about the apparent Russian hack exploiting a U.S. Aid agency

Hackers used USAID's email marketing account to send messages that looked legitimate — but links in the email exposed recipients to malicious software, Microsoft says.
Hackers used USAID's email marketing account to send messages that looked legitimate — but links in the email exposed recipients to malicious software, Microsoft says.
Screengrab by Microsoft

Updated: 11:50 p.m.

The same Russian hackers who carried out the SolarWinds attack and other malicious campaigns have now attacked groups involved in international development, human rights and other issues, according to Microsoft. The company says the breach began with a takeover of an email marketing account used by the U.S. Agency for International Development.

News of the attack comes less than three weeks before President Biden is slated to hold a summit with Russian President Vladimir Putin. The White House said earlier this week that Biden wants to "restore predictability and stability" in the two countries' relationship. Press Secretary Jen Psaki issued that statement on May 25 — the same day the hackers escalated their attack, according to Microsoft.

Russian presidential press secretary Dmitry Peskov denied his country is involved, saying Microsoft was making an "unfounded accusation," according to the Interfax news agency.

Here's what we know about the new hacking campaign:

The hackers

The new cyber campaign was orchestrated by a group Microsoft calls Nobelium, though it may be better known as Cozy Bear or APT29. The group is thought to be run out of the Russian intelligence service, or SVR.

The tech company says recipients were sent emails that looked to be from USAID — but which contained links that could install malicious code, giving hackers wide-ranging access.

The messages were sent from USAID's account with Constant Contact, a large email marketing and branding company. Microsoft says emails containing malicious URLs were sent to roughly 3,000 accounts at more than 150 organizations.

"Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020," Microsoft says. "These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts."

Russia has denied responsibility for the SolarWinds attack, which was also a supply chain attack, exploiting government agencies' relationship with a private company. The U.S. hit Russia with sanctions over SolarWinds last month, accusing the country of an attack that breached elements of the U.S. Homeland Security and Treasury departments.

The initial targets

USAID carries out missions worldwide that range from promoting democracy and human rights to backing economic development and helping populations in crisis.

Acknowledging the attack in a statement sent to NPR, USAID Acting Spokesperson Pooja Jhunjhunwala confirmed that the hack originated in a compromised email marketing account.

"The forensic investigation into this security incident is ongoing," she said. USAID is now working with the Cybersecurity and Infrastructure Security Agency, along with DHS (CISA's parent agency) and other agencies, Jhunjhunwala added.

Constant Contact, a Massachusetts company that has more than 600,000 customers worldwide, says the attack is an isolated incident.

"We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer's Constant Contact accounts," a company spokesperson tells NPR. The company says it has temporarily disabled the affected accounts, adding that it's "working with our customer, who is working with law enforcement."

Note: Both Microsoft and Constant Contact are financial supporters of NPR.

How the hack worked

The initial phases of the attack began in January, Microsoft says. After a period of probing and experimentation, the company says, the hackers used a spear-phishing campaign to launch a large-scale attack on May 25.

Like many similar hacks, the campaign includes several essential elements.

Gaining access: Using Constant Contact's emailing tools, the hackers send legitimate-looking messages from spoofed email addresses that include a link. People who click that link are sent to a legitimate related service — but they're also redirected to malicious infrastructure controlled by Nobelium, Microsoft says.

Installing malware: A payload of malware is delivered to target computers, is installed, and then executes, giving the hackers access.

Command and control: Upon being engrained in users' computers, the malware activates a beacon that sends attackers a notice to alert them to a successful intrusion. The hackers can then extract data and deliver additional malware.

The high-volume email campaign prompted automatic systems to block many of the emails and mark them as spam, Microsoft says. But the company adds that the earliest emails that were sent might have been successfully delivered.

The full scope of the attack — the compromised systems, and affected accounts — is not yet known.

The U.S. response

The Biden administration has not yet laid blame for the attack. The White House National Security Council says it's monitoring the incident, an NSC spokesperson said Friday.

So far, the impact of the new phishing incident seemed to be limited, the NSC spokesperson said, noting that Microsoft had said that many of the phishing emails sent through the service used by USAID had likely been blocked by automated systems.

The spokesperson spoke on condition of anonymity about the incident, noting that the U.S. intelligence community has not said who they believe is responsible.

The White House had no immediate comment on Friday on whether the new hack might affect plans for the upcoming summit between Biden and Putin.

The Biden administration says it's pushing forward on a plan to improve federal agencies' security in computer networks and software — part of an executive order issued after the SolarWinds hack.

In a statement on the latest attack, Sen. Mark R. Warner, D-Va., chairman of the Senate Select Committee on Intelligence, said, "We have to step up our cyber defenses, and we must make clear to Russia – and any other adversaries – that they will face consequences for this and any other malicious cyber activity."

Copyright 2021 NPR. To see more, visit https://www.npr.org.

Your support matters.

You make MPR News possible. Individual donations are behind the clarity in coverage from our reporters across the state, stories that connect us, and conversations that provide perspectives. Help ensure MPR remains a resource that brings Minnesotans together.