U.S. says agencies largely fended off latest Russian hack
The White House says it believes U.S. government agencies largely fended off the latest cyber-espionage onslaught blamed on Russian intelligence operatives, saying the spear-phishing campaign should not further damage relations with Moscow ahead of next month’s planned presidential summit.
Officials downplayed the cyber assault as “basic phishing,” in which hackers used malware-laden emails to target the computer systems of U.S. and foreign government agencies, think tanks and humanitarian groups. Microsoft, which disclosed the effort late Thursday, said it believed most of the emails were blocked by automated systems that marked them as spam.
As of Friday afternoon, the company said it was “not seeing evidence of any significant number of compromised organizations at this time.”
Even so, the revelation of a new spy campaign so close to the June 16 summit between President Biden and Russian counterpart Vladimir Putin adds to the urgency of White House efforts to confront the Kremlin over aggressive cyber activity that criminal indictments and diplomatic sanctions have done little to deter.
“I don’t think it’ll create a new point of tension, because the point of tension is already so big,” said James Lewis, a senior vice president at the Center for Strategic and International Studies. “This clearly has to be on the summit agenda.” Biden, he said, “has to lay down some markers” to make clear “that the days when you people could do whatever you want are over.”
The summit comes amid simmering tensions driven in part by election interference from Moscow and by a massive breach of U.S. government agencies and private corporations by Russian elite cyber spies who infected the software supply chain with malicious code. The U.S. responded last month with sanctions, prompting the Kremlin to warn of retribution.
Asked Friday whether the latest hacking effort would affect the Biden-Putin summit, White House Principal Deputy Press Secretary Karine Jean-Pierre said, “We’re going to move forward with that.”
The U.S., which has previously called out Russia or criminal groups based there for hacking operations, did not blame anyone for the latest incident. Microsoft attributed it to the group behind the SolarWinds campaign, in which at least nine federal agencies and dozens of private-sector companies were breached through a contaminated software update.
U.S. officials are scrambling to reinforce the nation’s cyber defenses following a sweeping hack that may have exposed government and corporate secrets to Russia.
In this case, hackers gained access to an email marketing account of the U.S. Agency for International Development and, masquerading as the government body, targeted about 3,000 email accounts at more than 150 organizations. At least a quarter of them were involved in international development, humanitarian and human-rights work, Tom Burt, Microsoft’s corporate vice president of consumer security and trust, said in a blog post late Thursday.
The company did not say what portion of the attempts may have led to successful intrusions but noted in a separate technical blog post that most were blocked by automated systems that marked them as spam. The White House said even if an email eluded those systems, a user would have had to click on the link to activate the malicious payload.
Burt said the campaign appeared to be a continuation of multiple efforts by Russian hackers to “target government agencies involved in foreign policy as part of intelligence gathering efforts.” He said the targets spanned at least 24 countries.
Separately, the cybersecurity firm FireEye said it has been tracking “multiple waves” of related spear-phishing by hackers from Russia’s SVR foreign intelligence agency since March — preceding the USAID campaign — that used a variety of lures, including diplomatic notes and invitations from embassies.
The hackers gained access to USAID’s account at Constant Contact, an email marketing service, Microsoft said. The authentic-looking phishing emails, dated May 25, purport to contain new information on claims of 2020 election fraud and include a link to malware that allows the hackers to “achieve persistent access to compromised machines.”
Microsoft said the campaign is ongoing and built on escalating spear-phishing campaigns it first detected in January.
USAID spokeswoman Pooja Jhunjhunwala said Friday that the agency was investigating with the help of the Cybersecurity and Infrastructure Security Agency. Constant Contact spokeswoman Kristen Andrews called it an “isolated incident.”
While the stealthy SolarWinds campaign began as far back as 2019 before being detected in December by FireEye, this campaign is what cybersecurity researchers call “noisy,” meaning easy to detect.
And though the spear-phishing emails were “quickly identified, we expect that any post-compromise actions by these actors would be highly skilled and stealthy,” FireEye’s VP of intelligence analysis, John Hultquist, said in a statement Friday. He said the incident “is a reminder that cyber espionage is here to stay.”
Many cybersecurity experts did not consider the operation an escalation of online Russian aggression.
“I think it’s par for the course,” said Jake Williams, president of Rendition Infosec and a former U.S. government hacker. He said it’s naive to think that U.S. cyber operators aren’t engaged in similar operations targeting adversaries.
Robert M. Chesney, a University of Texas at Austin law professor specializing in national security, said the new attack is nowhere near as significant as the earlier SolarWinds hack. Nor does it come anywhere near the damage done by the ransomware attack earlier this month — by Russian-speaking criminals tolerated by the Kremlin — that temporarily knocked the Colonial Pipeline offline.
Chesney said he thought it was wrong to regard the USAID attack as a Russian response to sanctions or a sign that the sanctions were somehow feckless.
“I don’t think it proves anything, really,” Chesney said. “It’s no surprise at all that the SVR is still engaged in espionage in the cyber domain. I don’t think we tried to deter them out of doing this wholesale.”
Must-read stories from the L.A. Times
Get the day's top news with our Today's Headlines newsletter, sent every weekday morning.
You may occasionally receive promotional content from the Los Angeles Times.