Hackers linked to Russian intelligence agencies surreptitiously seized an email system used by the U.S. government's international aid agency to burrow into the computer networks of human-rights groups and other organizations of the sort that have been critical of President Vladimir Putin, Microsoft Corp. disclosed Thursday.
Discovery of the breach was made only three weeks before President Joe Biden is scheduled to meet Putin in Geneva, and at a moment of increased tension between the two nations -- in part because of a series of increasingly sophisticated cyberattacks emanating from Russia.
Asked Friday whether the latest hacking effort would affect the Biden-Putin summit, principal deputy press secretary Karine Jean-Pierre said, "We're going to move forward with that."
The newly disclosed attack was particularly bold: By breaching the systems of a supplier used by the federal government, the hackers sent out genuine-looking emails to more than 3,000 accounts across more than 150 organizations that regularly receive communications from the U.S. Agency for International Development. Those emails went out as recently as this week, and Microsoft said it believes the attacks are ongoing.
The email was implanted with code that would give the hackers unlimited access to the computer systems of the recipients, from "stealing data to infecting other computers on a network," Tom Burt, a Microsoft vice president, wrote Thursday night.
The White House said it believes government agencies largely fended off the latest onslaught. Officials downplayed the cyberassault as "basic phishing" in which hackers used malware-laden emails to target the computer systems of U.S. and foreign government agencies, think tanks and humanitarian groups.
Microsoft said it believed most of the emails were blocked by automated systems that marked them as spam. As of Friday afternoon, the company said that it was "not seeing evidence of any significant number of compromised organizations at this time."
Last month, Biden announced a series of new sanctions on Russia and the expulsion of diplomats for a sophisticated hacking operation, called SolarWinds, that used novel methods to breach at least seven government agencies and hundreds of large U.S. companies.
That attack went undetected by the U.S. government for nine months; it was discovered by a cybersecurity firm. In April, Biden said he could have responded far more strongly, but "chose to be proportionate" because he did not want "to kick off a cycle of escalation and conflict with Russia."
The Russian response nonetheless seems to have been escalation. The malicious activity was underway as recently as the past week. That suggests the sanctions and whatever additional covert actions the White House carried out -- part of a strategy of creating "seen and unseen" costs for Moscow -- has not choked off the Russian government's appetite for disruption.
A spokesperson for the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security said late Thursday that the agency was "aware of the potential compromise" at the Agency for International Development and that it was "working with the FBI and USAID to better understand the extent of the compromise and assist potential victims."
KREMLIN LINKS
Microsoft identified the Russian group behind the attack as Nobelium, and said it was the same group responsible for the SolarWinds hack. Last month, the U.S. government explicitly said that SolarWinds was the work of the SVR, one of the most successful spinoffs of the Soviet-era KGB.
The same agency was involved in the hacking of the Democratic National Committee in 2016, and before that in attacks on the Pentagon, the White House email system and the State Department's unclassified communications.
It has grown increasingly aggressive and creative, federal officials and experts say. The SolarWinds attack was carried out through code implanted in network management software that the government and private companies use widely. When customers updated the SolarWinds software -- much like updating an iPhone overnight -- they were unknowingly letting in an invader.
Among the victims last year were the departments of Homeland Security and Energy, as well as nuclear laboratories.
When Biden took office, he ordered a study of the SolarWinds case, and officials have been working to prevent future "supply chain" attacks, in which adversaries infect software used by federal agencies. That is similar to what happened in this case, when Microsoft's security team caught the hackers using a widely used email service, provided by a company called Constant Contact, to send malicious emails that appeared to come from genuine addresses at the international aid agency.
But the content was, at times, hardly subtle. In one email sent through Constant Contact's service Tuesday, the hackers highlighted a message claiming that "Donald Trump has published new emails on election fraud." The email bore a link that, when clicked, drops malicious files onto the computers of the recipients.
Microsoft noted that the attack differed "significantly" from the SolarWinds hack, using new tools and tradecraft in an apparent effort to avoid detection. It said the attack was still in progress and that the hackers were continuing to send spearphishing emails, with increasing speed and scope. That's why Microsoft took the unusual step of naming the agency whose email addresses were being used and of publishing samples of the fake email.
In essence, the Russians got into the agency's email system by routing around the agency and going directly after its software suppliers. Constant Contact manages mass emails and other communications on the aid agency's behalf.
"Nobelium launched this week's attacks by gaining access to the Constant Contact account of USAID," Burt of Microsoft wrote. Constant Contact could not be reached for comment.
Microsoft, like other major firms involved in cybersecurity, maintains a vast sensor network to look for malicious activity on the internet, and it is frequently a target itself. It was deeply involved in revealing the SolarWinds attack.
In this case, Microsoft reported, the goal of the hackers was not to go after the State Department or the aid agency, but to use their connections to get inside groups that work in the field -- and in many cases rank among Putin's most potent critics.
"At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work," Burt wrote. While he did not name them, many such groups have revealed Russian action against dissidents, or protested the poisoning, conviction and jailing of Russia's best-known opposition leader, Alexei Navalny.
The attack suggests Russia's intelligence agencies are stepping up their campaign, perhaps to demonstrate that the country would not back down in the face of sanctions, the expulsion of diplomats and other pressure.
PUTIN ON NOTICE
Biden raised the SolarWinds attack with Putin in a phone call last month, telling him that the sanctions and expulsions were a demonstration of how his administration no longer would tolerate an increased tempo of cyberoperations.
Putin has denied Russian involvement, and some Russian news outlets have argued that the United States was responsible for the attack against itself.
At the time, the White House also placed a range of new sanctions on Russian individuals and assets, including new restrictions on purchasing Russia's sovereign debt, which will make it more difficult for Russia to raise money and support its currency.
"This is the start of a new U.S. campaign against Russian malign behavior," Treasury Secretary Janet Yellen said at the time.
Tensions over Russia's harboring of cybercriminals escalated significantly this month after a ransomware group held hostage the business networks at Colonial Pipeline. The attack forced the company to shut down a pipeline that delivers nearly half the gas, diesel and jet fuel to the East Coast, prompting a surge in gas prices and panic buying at the pump.
Biden said two weeks ago that "we have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks."
Regarding the latest attack, "I don't think it'll create a new point of tension because the point of tension is already so big," said James Lewis, a senior vice president at the Center for Strategic and International Studies. "This clearly has to be on the summit agenda. The president has to lay down some markers" to make clear "that the days when you people could do whatever you want are over."
Many cybersecurity experts did not consider the operation an escalation of online Russian aggression.
"I think it's par for the course," said Jake Williams, president of Rendition Infosec and a former U.S. government hacker. He said it's naive to think that U.S. cyberoperators aren't engaged in similar operations targeting adversaries.
Bobby Chesney, a University of Texas at Austin law professor specializing in national security, said it's nowhere near as significant as the SolarWinds hack. Nor does it come anywhere hear the damage done by the ransomware attack earlier this month -- by Russian-speaking criminals tolerated by the Kremlin -- that temporarily knocked out Colonial Pipeline.
Chesney said he thought it was wrong to regard the targeting of the aid agency as a Russian response to sanctions or a sign the sanctions were somehow feckless.
"I don't think it proves anything, really," Chesney said. "It's no surprise at all that the SVR is still engaged in espionage in the cyber domain. I don't think we tried to deter them out of doing this wholesale."
Information for this article was contributed by David E. Sanger and Nicole Perlroth of The New York Times; and by Frank Bajak, Eric Tucker and Alan Suderman of The Associated Press.