What Microsoft Officials Know About Russia's Phishing Hack Targeting USAID The Russian group that attacked SolarWinds focused on another government supplier in its latest hack: an email marketing company used by the U.S. Agency for International Development, Microsoft said.

What Microsoft Officials Know About Russia's Phishing Hack Targeting USAID

  • Download
  • <iframe src="https://www.npr.org/player/embed/1001367629/1001378050" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


Russian hackers are at it again. The same group that hacked into software made by SolarWinds appears to have launched another supply chain hack. That's according to Microsoft. The company sent out an alert last night saying hackers who appear to be linked to the Russian intelligence service broke into the email marketing company Constant Contact in order to impersonate the government agency USAID. Dina Temple-Raston of NPR's investigations team has been tracking Russian hacking operations and joins us now. Hey, Dina.


CHANG: Hi. So we should first note that both Microsoft and Constant Contact are financial supporters of NPR. OK, so tell us more about what Microsoft discovered.

TEMPLE-RASTON: Well, it has this cybercrimes team that's watching for these kinds of intrusions all the time. This week they found hackers in a bunch of international development and human right organization systems. And as best as they can tell, the hackers broke into a company that was helping USAID with marketing, and they used that hack to send phishing emails. You know, Microsoft told us it wasn't a huge hack. They said maybe as many as 3,000 accounts were either hacked or threatened, maybe as many as 150 institutions. But they think the actual numbers are probably a lot smaller than that.

CHANG: And these are phishing emails. Like, we're talking about fake emails that looked like they were from USAID.

TEMPLE-RASTON: Exactly. So unsuspecting recipients would open these emails. They'd click on the links. And by doing that, the malware would be installed on their systems. And then the malware would basically give the hackers free access. They could steal data. They could infect other computers on these networks. They could read emails. They could even plant other malware. We talked to Tom Burt, vice president of consumer security and trust at Microsoft. He was behind that advisory last night, and he said that the hackers actually kind of customized the malware depending on the target.

TOM BURT: These guys are actually doing something a little different in, even before the malware gets installed, they're doing some things to help them understand the environment that they are going to try to install the malware into so they can pick the right malware package.

TEMPLE-RASTON: The reason that's important is because that's the kind of thing that nation-state hackers do. It's not the kind of thing that common cybercriminals do.

CHANG: That's so...

TEMPLE-RASTON: They just aren't that careful.

CHANG: ...Interesting. OK, so Russian intelligence is definitely behind this hack.

TEMPLE-RASTON: We asked Tom Burt that, too, and he says they think it was a subset of the SolarWinds hacking group linked to the Russian intelligence service, the SVR.

BURT: The association with the SVR comes from what - the techniques we see them using and from the kinds of targets that they are targeting. So it's a collection of circumstantial evidence, you might say, that point in a consistent direction.

TEMPLE-RASTON: So the group that was behind SolarWinds is known as APT29 or Cozy Bear. And Microsoft said that they saw a lot of things that seem to overlap with Cozy Bear - easy to say. But they don't want to say unequivocally that it is the exact same people. It might be a subset. What they're not equivocating about, though, is that this hack came from Russia.

CHANG: OK. And is the technique here similar to what was found in the SolarWinds hack late last year?

TEMPLE-RASTON: Yes and no. The SolarWinds attack was actually really complicated and stealthy, and Microsoft appears to have seen this latest hack really quickly. And it's much simpler. I mean, the hackers aren't directly targeting companies or institutions they want to hack. They're focusing on suppliers in this case, just like they were in SolarWinds. And they're finding a company further down the supply chain, like a software company, to hack into them instead. The big question now is what the response is going to be. President Biden has already warned that Russia shouldn't be doing these attacks, and now they've done another one. So the question is whether or not this is going to force a response from the U.S.

CHANG: Yeah. All right. That is NPR investigations correspondent Dina Temple-Raston. Thank you, Dina.

TEMPLE-RASTON: You're welcome.

Copyright © 2021 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.