WASHINGTON – Just weeks before President Joe Biden will meet Russian President Vladimir Putin, the United States were again targeted by hackers with suspected ties to Russia.
Microsoft Vice President Tom Burt announced Thursday evening that about 3,000 email accounts across 24 countries, at more than 150 organizations were targeted in the “wave of attacks.”
Microsoft identified Nobelium as the group that carried out the cyber attacks. It’s the same group that was behind the massive SolarWinds attack late last year.
The Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, said: “We are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”
Here’s what we know about the hack:
Hackers used Trump in phishing scam
The hackers used former President Donald Trump’s name in emails sent to the targeted users, according to a sample of one of the scams posted by Microsoft.
According to the sample of the phishing emails, the subject line of the email said: “USAID Special Alert!” The email was sent from a USAID.gov email address. The email said “Donald Trump has published new documents on election fraud,” with a “view documents” button underneath it.
For months, Trump has questioned the validity of the results of the 2020 election.
Those who clicked on the link were sent to a legitimate service by Constant Contact, a marketing company. However, users would then be redirected to a file that was part of the “NOBELIUM-controlled infrastructure,” Microsoft said.
After being redirected, an archive file would be automatically downloaded that included a PDF file, a LNK file, and a DLL file entitled “Reports.” Those who clicked on the DLL file would download a backdoor that gave Nobelium access to the user’s system.
”The successful execution of these malicious payloads could enable NOBELIUM to conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware,” Microsoft said.
Nobelium, Solarwinds, Cozy Bear, the Dukes: Know this hacker group
Microsoft identified Nobelium as the group that carried out the attacks.
Nobelium was also behind the SolarWinds attack last year that is considered one of the worst cyber breaches the U.S. has ever suffered.
In the SolarWinds attack, hackers went undetected for nine months as they targeted U.S. government departments, about 100 private companies and several organizations in the United Kingdom. Roughly 18,000 customers had installed malicious software from the attack.
The Biden Administration sanctioned more than three dozen individuals and companies and expelled 10 Russian diplomats following the attack.
Nobelium is also known as Cozy Bear, the Dukes, in addition to other aliases.
Cozy Bear was behind a hack into the Democratic National Committee servers in 2016. Last year, Cozy Bear was also accused by the NSA and other intelligence organizations abroad of trying to steal data on vaccines and treatments for COVID-19 that the U.S., the United Kingdom and Canada were developing.
Biden to meet with Putin in June
Earlier this week, the Biden Administration announced that Biden and Putin would hold their first-to-face meeting since Biden became president in Geneva on June 16.
The two leaders will focus on a “full range of pressing issues,” White House press secretary Jen Psaki said in a statement Tuesday.
In addition to the sanctions for the SolarWinds attack, Biden in March imposed sanctions on Russia over the poisoning and detention of Russian opposition leader Alexei Navalny.
Reach Rebecca Morin at Twitter @RebeccaMorin_
Contributing: Kim Hjelmgaard and Deirdre Shesgreen