Russian hackers seized email system used by State Department aid agency, human rights groups

Russian hackers seized the email system used by the State Department’s international agency and other human rights groups, Microsoft announced.

Tom Burt, Microsoft’s corporate vice president of customer security and trust, disclosed in a blog post on Thursday that the Russian group Nobelium targeted about 3,000 email accounts from 150 different organizations in at least 24 countries. The United States received the largest share of the attacks.

Burt said at least a quarter of the organizations targeted were involved in international development, humanitarian or human rights work.

The attacks were launched by gaining access to the email marketing account of the United States Agency for International Development (USAID), which falls under the State Department. From there, the hackers distributed phishing emails that looked real but included a link with a malicious file.

Burt wrote that the attacks “appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts.”

In a separate post, Microsoft said the hackers sent emails to recipients that were made to appear like an alert which stated “Donald Trump has published new documents on election fraud.”

If clicked, the URL directed them to the legitimate Constant Contact Service, and then to Nobelium-controlled infrastructure. A malicious file was then delivered to the system.

A spokesperson for the Cybersecurity and Infrastructure Security Agency told The Hill in a statement “we are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”

Nobelium, based in Russia, is the same actor behind the hack of SolarWinds in 2020 during which hackers gained access to 18,000 customers and compromised nine federal agencies.

The Biden administration has formally acknowledged Russia as behind the hack and sanctioned Russia in mid-April over its involvement.

The hack came a couple of weeks after cybercriminals launched a ransomware attack on the Colonial Pipeline, forcing it to shut down operations and disrupting gas supplies.

President Biden signed an executive order earlier this month to improve federal cybersecurity amid the attack and multiple others.

Updated at 8:04 a.m.