The United States Agency for International Development (USAID) was the victim of a May 25 spear-phishing campaign that carried all the hallmarks of a state-sponsored attack, Microsoft said yesterday.
The cyberattack targeted over 3,000 accounts in 150 organizations spanning 24 countries, Microsoft revealed in a blog post. The attack was carried out using the mass email program Constant Contact to send out emails that appeared to originate from USAID.
“USAID became aware of potentially malicious email activity from a compromised Constant Contact email marketing account,” acting USAID spokesperson Pooja Jhunjhunwala said in a statement to MeriTalk. “The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).”
Microsoft Naming Names
While USAID has passed along the forensic investigation of the hack to other agencies, Microsoft had no qualms with pointing fingers, saying the same Russian-backed group responsible for the SolarWinds intrusion committed this attack, according to a company blog post.
The company’s Threat Intelligence Team said the attack, carried out by threat group Nobelium, is considered an “active incident.”
“When coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Microsoft Corporate VP for Customer Security and Trust Tom Burt said in a separate blog post. “By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.”
“Nation-state cyberattacks aren’t slowing,” Burt said. “We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules.”
Microsoft’s Threat Intelligence Team went on to explain the mechanics of Nobelium’s spear-phishing campaign and how to mitigate risks. The company said that due to the volume of emails sent, most of the emails sent were automatically blocked and labeled as spam, though some earlier emails might have been delivered.