Russian group behind SolarWinds spy campaign conduct new cyber attacks

The Russian hackers behind the SolarWinds espionage campaign have conducted a new wave of global cyber attacks by hijacking an email system used by a US government agency, Microsoft said on Thursday.

The US technology company said the group launched the attacks this year targeting 3,000 email accounts at more than 150 government agencies, think-tanks, consultancies and non-governmental organisations.

Microsoft started tracking the effort in January, but the attacks escalated this week after the hackers hijacked a mass email system called Constant Contact to pose as the United States Agency for International Development. They used it to launch a malicious email, or phishing, campaign whereby hackers could perform “a wide range of activities from stealing data to infecting other computers on a network” if a recipient clicked on a link in a message.

The scheme, which Microsoft said was an “active incident”, mainly focused on the US but spanned at least 24 countries. At least a quarter of those targeted were involved in international development, humanitarian and human rights work.

The company attributed the attacks to the same Russian group that carried out the sprawling SolarWinds spying campaign discovered last year, when hackers hijacked software made by the Texas-based company to access the US commerce and Treasury departments, as well as other local and federal agencies. The White House said last month the group was part of the Russian Foreign Intelligence Service.

Joe Biden, the US president, has faced calls to bolster the country’s cyber defences following the campaign, a recent Chinese state-backed espionage campaign that exploited vulnerabilities in Microsoft’s email software and an attack on a US petroleum pipeline company by a criminal group this month. 

The Biden administration imposed sanctions on Russia and signed an executive order this month requiring higher cyber security standards for federal agencies and their technology software providers. 

Microsoft said “many of the attacks” that targeted its customers were blocked because automated systems marked the emails as spam and its systems prevented the malicious software from gaining access.

It is unclear if any organisations were breached despite these security measures. Microsoft declined to comment.

Tom Burt, Microsoft’s corporate vice-president of customer security and trust, said the latest attacks “appear to be a continuation of multiple efforts by [the hackers] to target government agencies involved in foreign policy as part of intelligence-gathering efforts”.

“When coupled with the attack on SolarWinds, it’s clear that part of [the hackers’] playbook is to gain access to trusted technology providers and infect their customers,” he added.

Constant Contact said it was “aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts”.

“This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in co-operation with our customer, who is working with law enforcement,” it added.

Daily newsletter

#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.