Hackers Attack USAID’s Mail System

Microsoft has warned users that hackers are using the US Agency for International Development’s (USAID) email system to target government bodies and nongovernmental organizations (NGOs). One such malicious email displays a “usaid.gov” identification as the sender, which could have led recipients to believe it was legitimate, yet it contained a code that would allow the hackers to gain unlimited access to the recipients’ systems and networks. The genuine-looking emails were sent out to over three thousand accounts across more than 150 organizations that regularly receive communications from USAID.

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.

Microsoft executive Tom Burt wrote that at least a quarter of the targeted organizations were “involved in international development, humanitarian, and human rights work.”

More details from Microsoft:

• New sophisticated email-based attack from NOBELIUM (May 27)
• Another Nobelium Cyberattack (May 27)

Visit BRG’s Cyber Security & Investigations webpage.