What Microsoft Officials Know About Russia's Phishing Hack Targeting USAID

May 28, 2021
Originally published on May 28, 2021 5:04 pm

Microsoft officials say hackers linked to the Russian intelligence service, SVR, appear to have launched another supply chain attack — this time on a company that allowed the intruders to slip into the computer networks of a roster of human rights groups and think tanks.

Microsoft said it discovered the breach this week and believes it began with hackers breaking into an email marketing company called Constant Contact, which provides services to, among others, the United States Agency for International Development.

Once they had broken in, the hackers sent out emails that looked like they came from USAID. Those emails contained links, and when the recipients clicked on them, quietly loaded malware into their systems, allowing the hackers full access. They could read emails, steal information and even plant additional malware for use later.

Tom Burt, vice president of customer security and trust at Microsoft, told NPR in an interview that the hackers appeared to be learning as they went along, customizing their malware packages depending on the target. "Even before the malware gets installed," he said, "they're doing some things to help them understand the environment that they are going to try to install the malware into, so they can pick the right malware package."

The reason that's important is because it is yet another indication that a nation-state actor is involved. As a general matter, common cyber criminals don't target these kinds of institutions or tailor their malware in this way. Microsoft said about 150 organizations may have fallen prey to the hack, with some 3,000 possible compromised accounts, though they think the number will probably end up much lower than that.

The latest attack follows the discovery earlier this year of a sweeping supply chain hack against a Texas software company called SolarWinds. In that case, hackers linked to the SVR are thought to have slipped into the company's development environment and swapped their version of a software update with the one SolarWinds had produced.

In that case they are thought to have compromised a list of U.S. companies and a handful of government institutions including the Treasury Department, Homeland Security and even the Pentagon.

The Biden administration responded to that breach by leveling more sanctions on Russia and expelling some of its diplomats. President Biden warned Moscow not to embark on these kinds of supply chain attacks, but it appears not to have deterred them. Burt told NPR that Microsoft is certain Russia is behind the latest breach and a good case could be made that it is the same group that targeted SolarWinds.

"We can really be strong about our conclusion that this is a group operating from Russia," Burt told NPR. "The association with the SVR comes from the techniques we see them using and from the kinds of targets they are targeting. So it's a collection of circumstantial evidence, you might say, that point in a consistent direction."

The group behind SolarWinds is known as ATP29, or Cozy Bear. Burt said that his team saw lots of techniques in the hack that overlapped with those Cozy Bear had used in the past but he stopped short of saying unequivocally that they are behind it. It is possible, Burt said, that a subset of the group launched the latest attack.

What SolarWinds and the latest breach have in common — aside from the Russian thread — is that they are both considered supply chain attacks. The hackers didn't directly target the companies or institutions in which they were interested, instead they focused on their suppliers, finding a company further down the supply chain, like a software company, and hacked them instead.

The big question now is what the Biden administration's response will be. President Biden is scheduled to hold a summit with Russian President Vladimir Putin in less than three weeks. White House officials told reporters the meeting is going ahead as scheduled.

Editor's Note: Both Microsoft and Constant Contact are financial supporters of NPR.

Copyright 2021 NPR. To see more, visit https://www.npr.org.

AILSA CHANG, HOST:

Russian hackers are at it again. The same group that hacked into software made by SolarWinds appears to have launched another supply chain hack. That's according to Microsoft. The company sent out an alert last night saying hackers who appear to be linked to the Russian intelligence service broke into the email marketing company Constant Contact in order to impersonate the government agency USAID. Dina Temple-Raston of NPR's investigations team has been tracking Russian hacking operations and joins us now. Hey, Dina.

DINA TEMPLE-RASTON, BYLINE: Good morning. Hi.

CHANG: Hi. So we should first note that both Microsoft and Constant Contact are financial supporters of NPR. OK, so tell us more about what Microsoft discovered.

TEMPLE-RASTON: Well, it has this cybercrimes team that's watching for these kinds of intrusions all the time. This week they found hackers in a bunch of international development and human right organization systems. And as best as they can tell, the hackers broke into a company that was helping USAID with marketing, and they used that hack to send phishing emails. You know, Microsoft told us it wasn't a huge hack. They said maybe as many as 3,000 accounts were either hacked or threatened, maybe as many as 150 institutions. But they think the actual numbers are probably a lot smaller than that.

CHANG: And these are phishing emails. Like, we're talking about fake emails that looked like they were from USAID.

TEMPLE-RASTON: Exactly. So unsuspecting recipients would open these emails. They'd click on the links. And by doing that, the malware would be installed on their systems. And then the malware would basically give the hackers free access. They could steal data. They could infect other computers on these networks. They could read emails. They could even plant other malware. We talked to Tom Burt, vice president of consumer security and trust at Microsoft. He was behind that advisory last night, and he said that the hackers actually kind of customized the malware depending on the target.

TOM BURT: These guys are actually doing something a little different in, even before the malware gets installed, they're doing some things to help them understand the environment that they are going to try to install the malware into so they can pick the right malware package.

TEMPLE-RASTON: The reason that's important is because that's the kind of thing that nation-state hackers do. It's not the kind of thing that common cybercriminals do.

CHANG: That's so...

TEMPLE-RASTON: They just aren't that careful.

CHANG: ...Interesting. OK, so Russian intelligence is definitely behind this hack.

TEMPLE-RASTON: We asked Tom Burt that, too, and he says they think it was a subset of the SolarWinds hacking group linked to the Russian intelligence service, the SVR.

BURT: The association with the SVR comes from what - the techniques we see them using and from the kinds of targets that they are targeting. So it's a collection of circumstantial evidence, you might say, that point in a consistent direction.

TEMPLE-RASTON: So the group that was behind SolarWinds is known as APT29 or Cozy Bear. And Microsoft said that they saw a lot of things that seem to overlap with Cozy Bear - easy to say. But they don't want to say unequivocally that it is the exact same people. It might be a subset. What they're not equivocating about, though, is that this hack came from Russia.

CHANG: OK. And is the technique here similar to what was found in the SolarWinds hack late last year?

TEMPLE-RASTON: Yes and no. The SolarWinds attack was actually really complicated and stealthy, and Microsoft appears to have seen this latest hack really quickly. And it's much simpler. I mean, the hackers aren't directly targeting companies or institutions they want to hack. They're focusing on suppliers in this case, just like they were in SolarWinds. And they're finding a company further down the supply chain, like a software company, to hack into them instead. The big question now is what the response is going to be. President Biden has already warned that Russia shouldn't be doing these attacks, and now they've done another one. So the question is whether or not this is going to force a response from the U.S.

CHANG: Yeah. All right. That is NPR investigations correspondent Dina Temple-Raston. Thank you, Dina.

TEMPLE-RASTON: You're welcome. Transcript provided by NPR, Copyright NPR.