The effort targeted around 3,000 email accounts in more than 150 different organizations, at least a quarter of them involved in international development, humanitarian work and human rights, said the vice president of Microsoft Tom Burt in a blog post Thursday night.
The New York Times notes that many targeted groups are those who have criticized Russian President Vladimir Putin.
Burt’s post does not say what attempts may have led to successful intrusions.
A spokesperson for the U.S. Cyber and Infrastructure Security Agency (CISA) told CBS News, “We are aware of the potential compromise at USAID via an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and help potential victims. “
Cybersecurity firm Volexity, which also tracked the campaign but has less visibility into email systems than Microsoft, said in an article that the relatively low detection rates of phishing emails suggest the attacker “would be successful. probably to cross targets ”.
Burt said the campaign appeared to be a continuation of multiple efforts by Russian hackers to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets covered at least 24 countries.
The hackers gained access to the USAID account at Constant Contact, an email marketing service, Microsoft said. Authentic-looking phishing emails dated May 25 claim to contain new information on the 2020 election fraud allegations and include a link to malware that allows hackers to “gain permanent access to compromised machines.” .
Microsoft said in a separate blog post that the campaign is ongoing and has evolved from several waves of spear-phishing campaigns first detected in January that turned into this week’s mass mailings. .
While the SolarWinds campaign, which infiltrated dozens of private sector companies and think tanks, as well as at least nine U.S. government agencies, was extremely stealthy and lasted for most of 2020 before being detected in December by cybersecurity firm FireEye, this campaign is what cybersecurity researchers call “loud,” which means easy to detect.
Microsoft noted the two mass distribution methods used: the SolarWinds hack exploited the software update supply chain from a trusted technology vendor; this campaign relied on a mass messaging provider.
With both methods, the company said, hackers are undermining trust in the tech ecosystem.
In the blog post, Burt said, “Nation-state cyberattacks are not slowing down. We need clear rules governing the conduct of nation states in cyberspace and clear expectations about the consequences of violating those rules. “