The White House says it believes US government agencies largely fended off the latest cyberespionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month’s planned presidential summit.
Officials downplayed the cyber assault as “basic phishing” in which hackers used malware-laden emails to target the computer systems of US and foreign government agencies, think tanks and humanitarian groups. Microsoft, which disclosed the effort late Thursday, said it believed most of the emails were blocked by automated systems that marked them as spam.
As of Friday afternoon, the company said it was “not seeing evidence of any significant number of compromised organizations at this time.”
Even so, the revelation of a new spy campaign so close to the June 16 summit between President Joe Biden and Russian counterpart Vladimir Putin adds to the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that criminal indictments and diplomatic sanctions have done little to deter.
“I don’t think it’ll create a new point of tension because the point of tension is already so big,” said James Lewis, a senior vice president at the Center for Strategic and International Studies. “This clearly has to be on the summit agenda. The president has to lay down some markers” to make clear “that the days when you people could do whatever you want are over.”
The summit comes amid simmering tensions driven in part by election interference by Moscow and by a massive breach of US government agencies and private corporations by Russian elite cyber spies who infected the software supply chain with malicious code. The US responded with sanctions last month, prompting the Kremlin to warn of retribution.
Asked Friday whether the latest hacking effort would affect the Biden-Putin summit, principal deputy press secretary Karine Jean-Pierre said, “We’re going to move forward with that.”
The US, which has previously called out Russia or criminal groups based there for hacking operations, did not blame anyone for the latest incident. Microsoft attributed it to the group behind the SolarWinds campaign, in which at least nine federal agencies and dozens of private sector companies were breached through a contaminated software update.
In this case, hackers gained access to an email marketing account of the US Agency for International Development, and masquerading as the government body, targeted about 3,000 email accounts at more than 150 different organizations. At least a quarter of them involved in international development, humanitarian and human rights work, Microsoft Vice President Tom Burt said in a blog post late Thursday.
The company did not say what portion of the attempts may have led to successful intrusions but said in a separate technical blog post that most were blocked by automated systems that marked them as spam. The White House said even if an email eluded those systems, a user would still have to click on the link to activate the malicious payload.
Burt said the campaign appeared to be a continuation of multiple efforts by the Russian hackers to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets spanned at least 24 countries.
Separately, the prominent cybersecurity firm FireEye said it has been tracking “multiple waves” of related spear-phishing by hackers from Russia’s SVR foreign intelligence agency since March — preceding the USAID campaign — that used a variety of lures including diplomatic notes and invitations from embassies.
The hackers gained access to USAID’s account at Constant Contact, an email marketing service, Microsoft said.
The authentic-looking phishing emails dated May 25 purport to contain new information on 2020 election fraud claims and include a link to malware that allows the hackers to “achieve persistent access to compromised machines.”
Microsoft said the campaign is ongoing and built on escalating spear-phishing campaigns it first detected in January.
USAID spokeswoman Pooja Jhunjhunwala said Friday that it was investigating with the help of the Cybersecurity and Infrastructure Security Agency. Constant Contact spokeswoman Kristen Andrews called it an “isolated incident.”
While the SolarWinds campaign, was supremely stealthy and began as far back as 2019 before being detected in December by FireEye, this campaign is what cybersecurity researchers call noisy, meaning easy to detect.
And though “the spear phishing emails were quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy,” FireEye’s VP of analysis, John Hultquist, said in a statement Friday. He said the incident “is a reminder that cyber espionage is here to stay.”
Many cybersecurity experts did not consider the operation an escalation of online Russian aggression.
“I think it’s par for the course,” said Jake Williams, president of Rendition Infosec and a former US government hacker. He said it’s naive to think that US cyber operators aren’t engaged in similar operations targeting adversaries.
Bobby Chesney, a University of Texas at Austin law professor specializing in national security, said it nowhere near as significant as the SolarWinds hack. Nor does come anywhere hear the damage done by the ransomware attack earlier this month — by Russian-speaking criminals tolerated by the Kremlin — that temporarily knocked the Colonial Pipeline offline.
Chesney said he thought it was wrong to regard the USAID targeting as a Russian response to sanctions or a sign the sanctions were somehow feckless.
“I don’t think it proves anything, really,” Chesney said. “It’s no surprise at all that the SVR is still engaged in espionage in the cyber domain. I don’t think we tried to deter them out of doing this wholesale.”