The Russian hackers behind the SolarWinds campaign escalated their attacks on US federal agencies, think tanks and non-governmental organisations as part of intelligence gathering efforts on behalf of their government, Microsoft said.
In a blog post late on Thursday, Microsoft vice president Tom Burt said this past week's attack, which is ongoing, granted access to about 3,000 email accounts at more than 150 organisations by infiltrating a digital marketing service used by the US Agency for International Development (USAID), called Constant Contact.
The hackers distributed phishing emails, among them "special alerts", declaring that former US president Donald Trump had published new documents on election fraud, and inviting the user to view them.
When clicked, a malicious file was inserted that the hackers could use to distribute a backdoor, granting them the ability to steal data and infect other computers on the network.
While US organisations bore the brunt of the attacks, victims in at least 24 other countries were affected, Mr Burt wrote.
The Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security posted news of the breach to its website and encouraged users to review Microsoft’s reporting and “apply the necessary mitigations".
Massachusetts-based Constant Contact has made no public comment.
Mr Burt said it was clear that part of the hackers’ playbook was gaining access to trusted providers to infect their customers.
Similarly, in the SolarWinds campaign discovered in December 2020, hackers installed malicious code in updates for software belonging to Texas company SolarWinds Corp, which was sent to tens of thousands of its customers, including nine federal agencies and at least 100 companies.
Accessing software updates and mass email providers gives the hackers increased chances of "collateral damage in espionage operations and undermines trust in the technology ecosystem", Mr Burt said.
The US government said last month that the SolarWinds hack was the work of SVR, the Russian foreign intelligence service, and said it also went by the names of APT29, which according to British intelligence spent much of last year hacking foreign governments for vaccine research, and Cozy Bear, which was involved in the 2016 hack of the Democratic National Committee.
In April, US President Joe Biden gave an order for sanctions to be imposed against 32 Russian individuals and entities, including six companies that provide support to the Kremlin’s hacking operations.
The US also moved to expel 10 Russian diplomats working in Washington, including some intelligence officers. Mr Biden and Russian President Vladimir Putin are set to meet in Geneva on June 16.
Russia regards the allegations as baseless and does not believe they will affect the talks, Kremlin spokesman Dmitry Peskov said on Friday.
