The White House says it believes US federal institutions largely fended off the latest cyberespionage blitz blamed on Russian intelligence operatives, adding that the spear-phishing campaign should not further sour relations with Moscow ahead of a scheduled presidential summit next month.
Officials dismissed the cyberattack as “simple phishing,” in which hackers sent malware-laden emails to government institutions, think tanks, and humanitarian organisations in the United States and abroad. Microsoft, which announced the initiative late Thursday, said it believes the majority of the emails were stopped by spam-filtering software.
The company stated it was “not seeing indication of any large number of impacted organisations at this time” as of Friday afternoon.
Nonetheless, the revelation of a new spy campaign so close to President Joe Biden’s June 16 summit with Russian counterpart Vladimir Putin heightens the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that has eluded criminal indictments and diplomatic sanctions.
“I don’t believe it will generate a new source of strain because the current point of stress is so large,” James Lewis, a senior vice president at the Center for Strategic and International Studies, said. “Clearly, this needs to be on the summit’s agenda. The president must “draw some lines in the sand” to make it clear that “the days of you folks doing whatever you want are over.”
The meeting takes place amid simmering tensions fueled in part by Russian election meddling and a huge cyber-attack on US government agencies and private companies by Russian elite cyber operatives who corrupted the software supply chain with harmful malware. Last month, the US retaliated with sanctions, prompting the Kremlin to threaten retaliation.
“We’re going to move forward with that,” said Karine Jean-Pierre, principal deputy press secretary, when asked if the newest hacking attempt would hinder the Biden-Putin summit on Friday.
The United States, which has frequently blamed Russia or criminal groups headquartered there for cyber operations, made no such accusations in this case. The SolarWinds campaign, in which at least nine governmental agencies and scores of private sector firms were infiltrated through a corrupted software update, was blamed on Microsoft.
In this case, hackers acquired access to the US Agency for International Development’s email marketing account and used it to target over 3,000 email accounts at over 150 different organisations while posing as the government agency. Microsoft Vice President Tom Burt stated in a blog post late Thursday that at least a quarter of them are participating in foreign development, humanitarian, and human rights work.
The business did not specify how many of the attempts resulted in successful invasions, but it did state in a separate technical blog post that the vast majority of them were prevented by automatic systems that flagged them as spam. Even if an email eluded those safeguards, a user would still have to click on the link to activate the harmful payload, according to the White House.
The campaign looked to be a continuation of Russian hackers’ previous efforts to “target government entities involved in foreign policy as part of intelligence collection efforts,” according to Burt. According to him, the targets covered at least 24 countries.
Separately, the major cybersecurity firm FireEye claimed it had been watching “multiple waves” of linked spear-phishing by hackers from Russia’s SVR foreign intelligence service since March, which employed a variety of lures including diplomatic notes and invites from embassies.
According to Microsoft, the hackers got access to USAID’s account at Constant Contact, an email marketing firm. The phishing emails, which date from May 25, claim to provide new information on 2020 election fraud charges and include a link to malware that allows the hackers to “acquire persistent access to victim machines.”
The attack is ongoing, according to Microsoft, and is based on rising spear-phishing campaigns discovered in January.
Pooja Jhunjhunwala, a spokesperson for USAID, said the agency was investigating with the support of the Cybersecurity and Infrastructure Security Agency on Friday. Kristen Andrews, a representative for Constant Contact, called it a “unique incident.”
While the SolarWinds effort was extremely covert and began in 2019 before being discovered by FireEye in December, this attack is what cybersecurity experts refer to as noisy, which means it is easier to identify.
Even while “the spear phishing emails were swiftly recognised,” FireEye’s VP of analysis, John Hultquist, warned in a statement Friday that “any post-compromise actions by these individuals would be highly sophisticated and sneaky.” “This event serves as a reminder that cyber espionage is here to stay,” he stated.
Many cybersecurity specialists did not believe the operation was an increase in Russian internet warfare.
Jake Williams, president of Rendition Infosec and a former US government hacker, stated, “I think it’s par for the course.” He believes it is naïve to believe that American cyber operators aren’t doing similar operations against adversaries.
It isn’t nearly as dangerous as the SolarWinds attack, according to Bobby Chesney, a national security law expert at the University of Texas at Austin. It also pales in comparison to the ransomware attack on the Colonial Pipeline earlier this month, which was carried out by Russian-speaking criminals tolerated by the Kremlin.
Chesney believes it is incorrect to see the USAID targeting as a Russian retaliation to sanctions or an evidence that the sanctions are ineffective.
Chesney remarked, “I don’t think it proves anything.” “It comes as no surprise that the SVR is still involved in cyber espionage. I don’t believe we tried to dissuade them from doing this in bulk.”