Microsoft on Thursday unveiled a large-scale cyberattack that it says is being exploited by hackers linked to Russian intelligence services, the same who are behind the. The hackers gained access to the messaging system used by the US Agency for International Development, a State Department agency specializing in foreign aid, and sent malicious emails to “approximately 3,000 individual accounts in over 150 organizations, ”according to a threat alert from Microsoft.
Microsoft said the hacking campaign is still active and some malicious emails have been sent as recently as this week.
A spokesperson for the US Agency for Cybersecurity and Infrastructure Security said the agency was “aware of the potential compromise to USAID via an email marketing platform,” adding that it “Was working with the FBI and USAID to better understand the extent of the compromise and help the potential. victims. “
This recently disclosed cyberattack comes just over a month after the United States formally imposed sanctions on Russia for alleged election interference and malicious cyber activity, including widespread hacking of SolarWinds. Key intelligence agencies had previously said Russia was the likely source of the SolarWinds hack, which used contaminated software from computer management company SolarWinds to penetrate several US federal agencies and at least 100 private companies.
Microsoft said it has been tracking this new hacking campaign since January 2021, but things got significantly worse on Tuesday when hackers “exploited the legitimate mass messaging service, Constant Contact, to masquerade as an organization. US-based development and distribute malicious URLs to a wide variety. organizations and verticals. Because of the high volumes of malicious email sent, some may have been captured by spam filters, but others have likely moved from automated systems to planned inboxes, Microsoft said.
If someone clicked the link in the email, they would download a malicious file that could give hackers “persistent access to compromised systems,” according to Microsoft. This could potentially allow hackers to “carry out action objectives, such as lateral movement, data exfiltration, and delivery of additional malware.”
USAID Acting spokesperson Pooja Jhunjhunwala said the agency was investigating the incident.
“(USAID) has become aware of potentially malicious email activity from a compromised Constant Contact email marketing account. The forensic investigation into this security incident is ongoing. USAID has notified and is working with all relevant federal authorities, including the US Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), ”Jhunjhunwala said in an emailed statement to CNET .
When contacted for comment, a spokesperson for Constant Contact told CNET the company has deactivated the affected accounts.
“We are aware that the account credentials of one of our clients have been compromised and used by a malicious actor to access the client’s Constant Contact accounts. This is an isolated incident, and we have temporarily deactivated the affected accounts while we work in cooperation with our client, who works with law enforcement, ”said the spokesperson.
Neither the White House nor the Russian Embassy in Washington immediately responded to a request for comment.