The Russian state-sponsored cyberspies working behind the SolarWinds hacking campaign launched this week a spear-phishing assault targeting the U.S., think tanks, and foreign government agencies using the U.S. Agency for International Development email marketing account, Microsoft said.
The hacking campaign targeted about 3,000 email accounts across 150 different organizations. Some of the organizations are involved in humanitarian, human rights work, and international development, said Microsoft Vice President Tom Burt in a blog post late Thursday.
“The campaign appeared to be a continuation of multiple efforts by the Russian hackers to target government agencies involved in foreign policy as part of intelligence gathering efforts.” Burt said. The targets spanned at least 24 countries.
The cybersecurity firm Volexity also tracked the hacking campaign but has less visibility into email systems than Microsoft. They said that due to the relatively low detection rates of the phishing emails, the attackers were “likely having some success in breaching targets.”
“The hackers gained access to USAID’s account at Constant Contact, an email marketing service. The authentic-looking phishing emails dated May 25 purport to contain new information on 2020 election fraud claims and include a link to malware that allows the hackers to achieve persistent access to compromised machines,” Microsoft said.
The campaign is still active and has evolved out of several waves of spear-phishing campaigns first detected in January and escalated to the mass-mailings this week, according to Microsoft.
The SolarWinds campaign is what cybersecurity researchers call noisy. Although it was supremely stealthy and went on for most of 2020, infiltrating dozens of private sector companies and at least nine U.S. government agencies, it was detected by the cybersecurity firm FireEye in December.
According to Microsoft, the two mass distribution methods of the SolarWinds campaign exploited the supply chain of a technology provider’s software updates, and the hackers piggybacked on a mass email provider. The hackers aim to undermine trust in the technology ecosystem.