The Russia-linked hackers behind the cyberattack on SolarWinds SWI 0.45%▲ have returned, launching a phishing attack targeting approximately 3,000 email accounts belonging to workers at more than 150 organizations, Microsoft MSFT 2.26%▲ said late Thursday.
The attack on SolarWinds is considered by investigators to be one of most stealthy and sophisticated ever detected, but the phishing attack was in some ways the opposite of that. The hackers took over an online account used for mass emails by the U.S. Agency for International Development and sent deceptive phishing emails that contained malicious links.
Although the attack appears to have been largely unsuccessful—most of the email messages were marked as spam, Microsoft said—investigators say it shows that the hackers behind SolarWinds aren’t going away.
“These attacks appear to be a continuation of multiple efforts…to target government agencies involved in foreign policy as part of intelligence gathering efforts,” said Tom Burt, a Microsoft corporate vice president in charge of security, in a blog post.
A Microsoft spokesman declined to say how his company had linked the attack to the SolarWinds incident. U.S. government officials have said that the SolarWinds hack was conducted by Russia’s Foreign Intelligence Service, known as the SVR. Russia has denied that the agency was behind the SolarWinds attack.
The Kremlin dismissed the Microsoft report, saying that the company’s allegations were unfounded.
“It’s an abstract statement [by Microsoft],” Kremlin spokesman Dmitry Peskov told reporters Friday. “It’s like if we said we believe a large threat is coming from Microsoft and the software. It would be the same unfounded accusation.”
The phishing campaign began in late January and involved several waves, but it escalated significantly on Tuesday when the hackers took over an email marketing account used by the U.S. agency, Microsoft said. USAID, as it is known, dispenses billions in U.S. assistance to foreign countries.
The phishing campaign was reported earlier on Thursday by the cybersecurity investigations company Volexity Inc., which said that one of its customers had been infected after clicking on a phishing link.
Targets of the phishing campaign included government agencies, research institutions, nongovernmental organizations, and international agencies, Volexity said. About a quarter of the phishing emails targeted humanitarian and international development workers, Mr. Burt said. U.S. organizations received the majority of the phishing emails, but the attackers targeted workers in at least 24 countries, he said.
A spokesman for USAID said that the agency was investigating “potentially malicious email activity from a compromised Constant Contact email marketing account,” and that the agency was working with the U.S. Department of Homeland Security on the incident.
Constant Contact said that the hackers were able to send the phishing emails by compromising the login credentials of one of their customers. “This is an isolated incident, and we have temporarily disabled the impacted accounts,” a company spokeswoman said.
The allegations came three days after the White House said President Biden would meet with Russian President Vladimir Putin on June 16 in Geneva.
The White House had been discussing a meeting with Mr. Putin in recent weeks but hadn’t finalized a date and location. The agenda is likely to cover topics including nuclear proliferation, climate change and Russia’s efforts to interfere in foreign elections.
In April, Mr. Biden told Mr. Putin the U.S. would respond to Russia’s cyber intrusions, the White House said, and the U.S. levied retaliatory measures against Russia over the alleged election interference and the SolarWinds cyberattack.
Mr. Peskov said on Friday that the allegations likely won’t affect the preparations for the meeting.
“So far no accusations made by Microsoft have been on the agenda” for the meeting, Mr. Peskov said.