The Agency for International Development delivers humanitarian aid to many countries, including Russia – this flight delivered 150 ventilators to Vnukovo Airport in June 2020
Russia is again accused of hacking computer systems, this time – the United States Agency for International Development (USAID).
Microsoft said it found signs of a breach and the distinctive handwriting of the hackers responsible for SolarWinds' previous computer attacks.
- Sunburst: why it is the most dangerous cyberattack in history and what does Russia have to do with it
Microsoft said Thursday that hackers, possibly linked to the Russian Foreign Intelligence Service (SVR), have secretly hacked into the International Development Agency's email distribution system to infiltrate the computer networks of human rights groups and other organizations, including opposition groups.
“This week we have seen cyberattacks from the Nobelium group targeting government agencies, think tanks, consultants and non-governmental organizations,” says a Microsoft blog.
The company believes that it was Nobelium who was behind the attacks on IT company SolarWinds last year.
A spokesman for the Russian president said he had no information about a new cyber attack.
Why U S AID?
This time, hackers hacked into systems used by the federal government and sent emails to more than 3,000 accounts in more than 150 organizations that regularly receive messages from the Agency for International Development. These emails were posted this week and contained all the usual logos of the organization.
The emails included code that gave hackers unrestricted access to recipients' computer systems, from “stealing data to infecting other computers on the network,” Microsoft vice president Tom Burt wrote on Thursday evening.
In this case, according to Microsoft, the goal of the hackers was not the Agency for International Development itself, but the opportunity to penetrate the systems of grantees, some of which the Russian authorities consider hostile to their interests.
- “Disconnect the internet in a small country.” Hackers talk about a new cyber weapon ordered by the FSB
“At least a quarter of the organizations attacked were involved in international development, humanitarian and human rights work,” Bert wrote.
A spokesman for the US Department of Homeland Security's Cyber and Infrastructure Security Agency said on Thursday that the agency is “aware of the potential vulnerability” at the Agency for International Development and is taking steps to neutralize it.
Microsoft believes that the Russian group Nobelium is behind the attack, which is believed to be responsible for the attack on SolarWinds. The American government claims that the SolarWinds hack is the work of the Russian Foreign Intelligence Service. She is also accused of hacking into the Democratic National Committee in 2016 (but it is believed that the hacking by his own GRU hackers had more serious consequences), and before that – in attacks on the Pentagon, the e-mail system of the White House and the State Department.
The attacks are becoming more aggressive and sophisticated, federal officials and experts say. The SolarWinds hack in the US government became known nine months after the cyberattack – it was discovered by third-party commercial cybersecurity specialists.
The hack was carried out using code embedded in corporate network management software, which is widely used by US departments and private companies. Among the victims were the ministries of energy and homeland security, as well as several scientific nuclear laboratories.
Microsoft noted that the cyberattack on the Agency for International Development is markedly different from the SolarWinds hack – it used new tools and techniques, clearly aimed at avoiding detection. The company believes that the attack is still ongoing and that hackers continue to send out phishing emails more and more. This is why Microsoft took the unusual step of naming the affected agency and releasing samples of the fake email.
In April, US President Joe Biden announced a series of new sanctions against Russia and the expulsion of diplomats in response to the SolarWinds hack. Biden said he could have responded much more decisively, but did not want to launch a new escalation cycle in relations with Russia and therefore preferred a “proportionate response.”
- The EU has imposed sanctions against four “GRU hackers”. Who are they?
The hack of the Agency for International Development's mail happened just three weeks before President Biden's scheduled meeting with Vladimir Putin in Geneva. Relations between the countries remain tense, including due to a series of increasingly sophisticated cyberattacks, which the United States has accused Russia of.
In April, Biden discussed the SolarWinds attack with Putin over the phone. The Russian president has denied claims of Russian involvement in it, and some Russian media have said the United States itself carried it out.
SolarWinds Hack Detected By Cybersecurity Experts Nine Months Later
After that, the possible connection of Russia with groups of hackers was again on the agenda when the structures of the Colonial Pipeline company were subjected to cyberattacks. The cyber ransomware attack forced the company to shut down a pipeline that carries nearly half of its gasoline, diesel and jet fuel to the US East Coast, prompting a spike in prices and panic buying at gas stations.
The Kremlin said it had no information about the cyberattack and that Microsoft had to demonstrate that the hackers had a connection with Russia.
Answering journalists' questions whether this will affect the upcoming summit of the heads of the two states, the press secretary of the Russian President Dmitry Peskov said: “To answer your question, you need to answer: which groups, why are they connected with Russia, what, who attacked, what did it lead to, what was the attack, and how did Microsoft know about it? If you answer all these questions, then you can think about the answer. “
According to him, the Kremlin cannot comment on these issues, since it does not have information about cyberattacks. “I cannot comment on them in any way, we do not have such information. This is what Microsoft claims. Accordingly, Microsoft should clarify these issues,” he added.
Peskov also doubted that Microsoft's statement would somehow affect the upcoming summit of the presidents of the Russian Federation and the United States.