Microsoft on Thursday disclosed a wide-scale cyberattack that it says is being operated by hackers linked to Russian intelligence, the same ones behind the . The hackers gained access to the email system used by US Agency for International Development, a State Department agency focused on foreign aid, and sent malicious emails to “around 3,000 individual accounts across more than 150 organizations,” according to a threat alert from Microsoft.
Microsoft said the hacking campaign is still active and that some malicious emails were sent as recently as this week.
A spokesperson for the US Cybersecurity and Infrastructure Security Agency said the agency is “aware of the potential compromise at USAID through an email marketing platform,” adding that it’s “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
This newly disclosed cyberattack comes just over a month after the US officially imposed sanctions against Russia for alleged election interference and malicious cyberactivity, including the widespread SolarWinds hack. Key intelligence agencies had already said Russia was the likely origin of the SolarWinds hack, which used tainted software from IT management company SolarWinds to penetrate multiple US federal agencies and at least 100 private companies.
Microsoft said it had been tracking this new hacking campaign since January 2021 but things escalated significantly on Tuesday when hackers “leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.” Due to the high volumes of malicious emails sent, some might have been caught by spam filters but others likely made it past automated systems to the intended inboxes, Microsoft said.
If a person clicked on the link in the email, it would upload a malicious file that could give the hackers “persistent access to compromised systems,” according to Microsoft. This could potentially allow for the hackers to “conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.”
The Russian embassy in Washington didn’t immediately respond to a request for comment.
More to come.