Head Of Cybersecurity Firm That Detected USAID Hack Explains What Happened
RACHEL MARTIN, HOST:
Russian hackers are at it again. A group linked to Russian intelligence got into an email account that was used by the State Department's international group, USAID. With access to that account, Microsoft says the hackers were able to launch phishing attacks on some 3,000 email accounts at more than 150 organizations around the world. Steven Adair runs a cybersecurity firm called Volexity, which detected the attack, and he joins us now. Thanks for being here.
STEVEN ADAIR: Thank you for having me.
MARTIN: To the degree that you're able, can you explain what happened?
ADAIR: Yeah. So what happened is kind of an attack called spear phishing. And, you know, as you kind of mentioned, it involved USAID. So attackers that we track and tie to being sourced out of Russia gained access to a kind of system called Constant Contact. That's where a lot of different organizations use to kind of manage and, you know, send emails out to different organizations and different recipients. And the account they got access to, so using, you know, the United States government email address, they sent out email messages purporting to be from USAID about election fraud and specifically deemed about Donald Trump releasing, you know, documents about election fraud. It kind of sent this salacious-type lure to, you know, as kind of Microsoft said, you know, thousands of email addresses and hundreds of organizations around the world.
MARTIN: So those are some very sensitive communications, I have to imagine. I mean, what kind of data could have been compromised as a result of this hack?
ADAIR: Yeah. So they would gain access to the computer of the user that had been targeted. And the campaign was a bit broad in the sense not everyone who is - you know, the email was sent to is necessarily someone or an individual working on something that, you know, necessarily the most sensitive type of activity for an organization. But these attackers, they're kind of very adept and very skilled at, you know, turning a foothold or an initial entry point into a wider breach. So, you know, this is basically about getting broader access. So, you know, it might go to someone who is, you know, you'd think a typical target or could be someone who works in, like, the finance department or marketing or other things that may not have - you know, their typical day to day may not be in that public policy or that sensitive data. But once they get access to that machine, they will then try to turn that to compromising other systems on the network, getting information that lets them launch further attacks and kind of basically spread their access and kind of get a broader ranging level of access. And that's exactly what, you know, we believe this was kind of - what they tried to do with this.
MARTIN: So this, as you noted, was an account at an email marketing service, Constant Contact. We should just say Constant Contact is a funder of NPR. But it was an account that was being used by the State Department. So it was through the U.S. government that the hackers were able to get access. Does that mean that the federal government hasn't done enough to secure its accounts and servers?
ADAIR: Yeah, and it's hard to answer. I mean, if you look at the broad footprint of, you know, every different agency, every different email and every avenue that's authorized - I mean, obviously, you know, you don't want this to happen. And could something different had been done? It could have been a two-factor. It could have been a stronger password or things like that. You know, that's - the answer is maybe. I would say at the same time, this type of activity or, you know, this type of access absolutely does not surprise us that, you know, someone would be able to get that.
MARTIN: So, I mean, we just have to prepare ourselves for more of these attacks.
ADAIR: Yeah, So I definitely agree with that. So, you know, I think DHS, CISA, the U.S. government in general, the private sector, I mean, I think a lot of people are moving in the right direction with, you know, improving security. But, you know, it's a game of cat and mouse, right? So you prepare and prepare and prepare and someone always finds, like, a new way around things. But I think the bar is being continuously raised. But this particular attack, you know, it's not necessarily, you know, overly advanced, right? They used some lower level attacks and stuff, like this, hey, Donald Trump released a document, you have to open this - you know, it's kind of self-inflicted. But when you do it at scale and you send this out to a thousand organizations - and you can kind of do that whenever you want. They could launch another one of these attacks tomorrow. They could do it next week. They could do this kind of, like, at will. You're going to land - you're going to throw the fishing reel and you're going to catch something. And that's definitely what they're counting on and they've definitely been successful at.
So I think preparation and continued vigilance and improving security is a bar that everyone needs to always have, like, moving. It's not a static thing or something we can be stagnant on, whether it's the U.S. government or, you know, small organizations or even individuals personally with their security. But, yeah, I would say prepare. But, you know, this is definitely going to continue. And they're going to obviously have - they've had a lot of success with, you know, stealing data and breaching organizations. And I think this will be no exception and probably likely continue, unfortunately.
MARTIN: Steven Adair from the cybersecurity firm Volexity, thank you so much for your time.
ADAIR: Thank you. Thank you for having me. Have a good day.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.