Kremlin-Backed Hackers Target U.S. Aid Agency Before Biden-Putin Summit

Email phishing attacks aren’t unusual, but the new breach shows Russia isn’t letting up.

By , a national security and intelligence reporter at Foreign Policy, and , a diplomacy and national security reporter at Foreign Policy.
Russian President Vladimir Putin
Russian President Vladimir Putin attends a meeting via videoconference at the Novo-Ogaryovo state residence outside Moscow on June 20. Alexey Nikolsky/Sputnik/AFP via Getty Images

Hackers linked to Russian intelligence services breached systems used by a leading U.S. aid agency to target other government agencies, human rights organizations, and think tanks. The move could ratchet up tensions between Washington and Moscow ahead of a highly anticipated summit between the two countries’ leaders. Cybersecurity experts say that cyberattacks by Russian hackers have become a daily occurrence.

The “wave of attacks,” first revealed by Microsoft Corp. in a blog post on Thursday, breached an email marketing service used by the U.S. Agency for International Development (USAID) to target around 3,000 email accounts at over 150 organizations across 24 countries, though the United States received a bulk of the attacks.

At least a quarter of the organizations targeted by the email phishing campaign worked on humanitarian, international development, and human rights issues, according to Tom Burt, Microsoft’s corporate vice president for customer security and trust. But the extent of the damage is still unclear. Microsoft believes the attacks are ongoing, though it noted that automated threat detection systems blocked most of the emails, marking them as spam.

Microsoft attributed the attacks to Nobelium, the same hacking group that engineered the recent SolarWinds hacks targeting U.S. government agencies, which are considered the worst cyberespionage breach in U.S. history. While Nobelium orchestrated the SolarWinds hacks, U.S. officials said that Russia’s foreign intelligence service, the SVR, was behind the operation.

The latest Nobelium attack, whether it amounts to a significant breach of U.S. government cyber infrastructure or not, shows that Russia has not been deterred by waves of retaliatory U.S. and European sanctions over previous cyberattacks. It also represents the latest example of authoritarian regimes turning to hacking groups to target their rivals abroad, whether foreign governments or human rights advocates.

“This is yet another example of how cyberattacks have become the tool of choice for a growing number of nation-states to accomplish a wide variety of political objectives,” Microsoft’s Burt wrote.

News of the incident is likely to fuel calls in Washington for the Biden administration to take a tougher stance on Moscow. “If Moscow is responsible, this brazen act of utilizing emails associated with the U.S. government demonstrates that Russia remains undeterred despite sanctions following the SolarWinds attack. Those sanctions gave the administration flexibility to tighten the economic screws further if necessary — it now appears necessary,” said Rep. Adam Schiff, Democratic chairman of the House Intelligence Committee, in a statement on Friday.

Some cybersecurity experts were skeptical that the hack on USAID signified a major escalation, noting that spear-phishing emails are a routinely used tool in cyberespionage. “It’s really not that unusual that attackers do something like this,” said security expert Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University. “I’m willing to bet these things happen every single day,” he added.

The targeting of organizations working on human rights and humanitarian aid is significant, as the Kremlin has pursued a steady crackdown on civil society organizations.

“The government is sparing no effort to intimidate, tarnish, and ultimately punish independent groups that work on a wide range of human rights and related civic issues, and one of the key [ways] it’s doing this is to try to falsely implicate them as either foreign in their ideas, or representing foreign interests,” said Rachel Denber, deputy director of the Europe and Central Asia division at Human Rights Watch.

The Russian authorities have repeatedly sought to write off social unrest and government critics as stooges of Western governments. USAID was expelled from Russia in 2012, having worked in the country since the collapse of the Soviet Union. The Russian government accused USAID of seeking to meddle in the country’s domestic politics.

According to Microsoft, Russian hackers orchestrated the latest attack by breaching Constant Contact, an email service used by USAID, to send phishing emails to the thousands of email accounts that appeared to originate from USAID.

John Hultquist, vice president of Mandiant Threat Intelligence at FireEye, said the company had been tracking a wave of spear-phishing-related emails sent since March. “In addition to the USAID content, they have leveraged a variety of lures, including diplomatic notes and invitations from embassies. All of these operations have focused on government, think tanks, and related organizations that are traditionally targeted by SVR operations,” he said in a statement.

“Given the brazen nature of this incident, it does not appear the SVR is prepared to throttle down on their cyberespionage activity, let alone go to great efforts to hide new activity. In fact, this incident is a reminder that cyber espionage is here to stay,” Hultquist said.

A former senior National Security Agency official, speaking on condition of anonymity, said that while the attack was not as technically sophisticated as the SolarWinds hack, attackers devoted significant effort to experimenting and refining their approach. “It’s more sophisticated in terms of social engineering,” the former official said.

One of the spear-phishing emails shared by Microsoft, which was sent out by attackers on Tuesday, posed as an alert from USAID that read, “Donald Trump has published new documents on election fraud,” and included a link to “view documents” that, when clicked, would insert malicious files to steal data and infect other computers.

“It was highly engineered to make it appeal to everybody, regardless of political alignment,” the former official said.

Pooja Jhunjhunwala, USAID’s acting spokesperson, confirmed to Foreign Policy that the agency “became aware of potentially malicious email activity from a compromised Constant Contact email marketing account.”

“The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” she said in an emailed statement.

The attacks come before President Joe Biden is scheduled to meet Russian President Vladimir Putin for a summit in Geneva on June 16 as tensions spike between the two former Cold War rivals.

Biden sharply criticized Russia for the SolarWinds attack and imposed stiff new sanctions on Moscow in April. As he announced the sanctions, however, he stressed he wanted to defuse tensions with Russia. “I chose to be proportionate,” he said. “The United States is not looking to kick off a cycle of escalation and conflict with Russia. We want a stable, predictable relationship.”

The Russian government on Friday dismissed Microsoft’s findings. Dmitry Peskov, Putin’s spokesman, told reporters the Kremlin had no information on the Nobelium attack, calling it a “baseless allegation,” according to Russian state news agency TASS. Peskov said it was unlikely to affect the upcoming summit between Biden and Putin.

Amy Mackinnon is a national security and intelligence reporter at Foreign Policy. Twitter: @ak_mack

Robbie Gramer is a diplomacy and national security reporter at Foreign Policy. Twitter: @RobbieGramer