Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

US Says Agencies Largely Fended Off Latest Russian Hack

The White House says it believes U.S. government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month’s planned presidential summit.

The White House says it believes U.S. government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month’s planned presidential summit.

Officials downplayed the cyber assault as “basic phishing” in which hackers used malware-laden emails to target the computer systems of U.S. and foreign government agencies, think tanks and humanitarian groups. Microsoft, which disclosed the effort late Thursday, said it believed most of the emails were blocked by automated systems that marked them as spam.

As of Friday afternoon, the company said it was “not seeing evidence of any significant number of compromised organizations at this time.”

Even so, the revelation of a new spy campaign so close to the June 16 summit between President Joe Biden and Russian counterpart Vladimir Putin adds to the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that criminal indictments and diplomatic sanctions have done little to deter.

“I don’t think it’ll create a new point of tension because the point of tension is already so big,” said James Lewis, a senior vice president at the Center for Strategic and International Studies. “This clearly has to be on the summit agenda. The president has to lay down some markers” to make clear “that the days when you people could do whatever you want are over.”

The summit comes amid simmering tensions driven in part by election interference by Moscow and by a massive breach of U.S. government agencies and private corporations by Russian elite cyber spies who infected the software supply chain with malicious code. The U.S. responded with sanctions last month, prompting the Kremlin to warn of retribution.

Asked Friday whether the latest hacking effort would affect the Biden-Putin summit, principal deputy press secretary Karine Jean-Pierre said, “We’re going to move forward with that.”

The U.S., which has previously called out Russia or criminal groups based there for hacking operations, did not blame anyone for the latest incident. Microsoft attributed it to the group behind the SolarWinds campaign, in which at least nine federal agencies and dozens of private sector companies were breached through a contaminated software update.

Advertisement. Scroll to continue reading.

In this case, hackers gained access to an email marketing account of the U.S. Agency for International Development, and masquerading as the government body, targeted about 3,000 email accounts at more than 150 different organizations. At least a quarter of them involved in international development, humanitarian and human rights work, Microsoft Vice President Tom Burt said in a blog post late Thursday.

[ RelatedSolarWinds Hackers Impersonate U.S. Government Agency in New Attacks ]

The company did not say what portion of the attempts may have led to successful intrusions but said in a separate technical blog post that most were blocked by automated systems that marked them as spam. The White House said even if an email eluded those systems, a user would still have to click on the link to activate the malicious payload.

Burt said the campaign appeared to be a continuation of multiple efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets spanned at least 24 countries.

Separately, the prominent cybersecurity firm FireEye said it has been tracking “multiple waves” of related spear-phishing by hackers from Russia’s SVR foreign intelligence agency since March — preceding the USAID campaign — that used a variety of lures including diplomatic notes and invitations from embassies.

The hackers gained access to USAID’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails dated May 25 purport to contain new information on 2020 election fraud claims and include a link to malware that allows the hackers to “achieve persistent access to compromised machines.”

Microsoft said the campaign is ongoing and built on escalating spear-phishing campaigns it first detected in January.

USAID spokeswoman Pooja Jhunjhunwala said Friday that it was investigating with the help of the Cybersecurity and Infrastructure Security Agency. Constant Contact spokeswoman Kristen Andrews called it an “isolated incident.”

While the SolarWinds campaign,was supremely stealthy and began as far back as 2019 before being detected in December by FireEye, this campaign is what cybersecurity researchers call noisy, meaning easy to detect.

And though “the spear phishing emails were quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy,” FireEye’s VP of analysis, John Hultquist, said in a statement Friday. He said the incident “is a reminder that cyber espionage is here to stay.”

Many cybersecurity experts did not consider the operation an escalation of online Russian aggression.

“I think it’s par for the course,” said Jake Williams, president of Rendition Infosec and a former U.S. government hacker. He said it’s naive to think that U.S. cyber operators aren’t engaged in similar operations targeting adversaries.

Bobby Chesney, a University of Texas at Austin law professor specializing in national security, said it is nowhere near as serious as the SolarWinds hack. Nor does it come anywhere near the damage done by the ransomware attack earlier this month — by Russian-speaking criminals tolerated by the Kremlin — that temporarily knocked the Colonial Pipeline offline.

Chesney said he thought it was wrong to regard the USAID targeting as a Russian response to sanctions or a sign the sanctions were somehow feckless.

“I don’t think it proves anything, really,” Chesney said. “It’s no surprise at all that the SVR is still engaged in espionage in the cyber domain. I don’t think we tried to deter them out of doing this wholesale.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.