Microsoft officials say hackers linked to the Russian intelligence service, SVR, appear to have launched another supply chain attack — this time on a company that allowed the intruders to slip into the computer networks of a roster of human rights groups and think tanks.
Microsoft said it discovered the breach this week and believes it began with hackers breaking into an email marketing company called Constant Contact, which provides services to, among others, the United States Agency for International Development.
Once they had broken in, the hackers sent out emails that looked like they came from USAID. Those emails contained links, and when the recipients clicked on them, quietly loaded malware into their systems, allowing the hackers full access. They could read emails, steal information and even plant additional malware for use later.
Tom Burt, vice president of customer security and trust at Microsoft, told NPR in an interview that the hackers appeared to be learning as they went along, customizing their malware packages depending on the target. “Even before the malware gets installed,” he said, “they’re doing some things to help them understand the environment that they are going to try to install the malware into, so they can pick the right malware package.”
The reason that’s important is because it is yet another indication that a nation-state actor is involved. As a general matter, common cyber criminals don’t target these kinds of institutions or tailor their malware in this way. Microsoft said about 150 organizations may have fallen prey to the hack, with some 3,000 possible compromised accounts, though they think the number will probably end up much lower than that.
The latest attack follows the discovery earlier this year of a sweeping supply chain hack against a Texas software company called SolarWinds. In that case, hackers linked to the SVR are thought to have slipped into the company’s development environment and swapped their version of a software update with the one SolarWinds had produced.
In that case they are thought to have compromised a list of U.S. companies and a handful of government institutions including the Treasury Department, Homeland Security and even the Pentagon.
The Biden administration responded to that breach by leveling more sanctions on Russia and expelling some of its diplomats. President Biden warned Moscow not to embark on these kinds of supply chain attacks, but it appears not to have deterred them. Burt told NPR that Microsoft is certain Russia is behind the latest breach and a good case could be made that it is the same group that targeted SolarWinds.
“We can really be strong about our conclusion that this is a group operating from Russia,” Burt told NPR. “The association with the SVR comes from the techniques we see them using and from the kinds of targets they are targeting. So it’s a collection of circumstantial evidence, you might say, that point in a consistent direction.”
The group behind SolarWinds is known as ATP29, or Cozy Bear. Burt said that his team saw lots of techniques in the hack that overlapped with those Cozy Bear had used in the past but he stopped short of saying unequivocally that they are behind it. It is possible, Burt said, that a subset of the group launched the latest attack.
What SolarWinds and the latest breach have in common — aside from the Russian thread — is that they are both considered supply chain attacks. The hackers didn’t directly target the companies or institutions in which they were interested, instead they focused on their suppliers, finding a company further down the supply chain, like a software company, and hacked them instead.
The big question now is what the Biden administration’s response will be. President Biden is scheduled to hold a summit with Russian President Vladimir Putin in less than three weeks. White House officials told reporters the meeting is going ahead as scheduled.
Editor’s Note: Both Microsoft and Constant Contact are financial supporters of NPR.