Skip to main content

ALERT: KPBS Radio is undergoing scheduled upgrade work which may result in temporary signal outages.

LATEST UPDATES: Tracking COVID-19 | Vaccines | Racial Justice

What Microsoft Officials Know About Russia’s Phishing Hack Targeting USAID

Photo caption:

Photo by J. David Ake AP

Microsoft says the same group that breached the software company SolarWinds seems to have launched another hack, this time using phishing attacks on a number of human rights agencies, including the U.S. Agency for International Development.

Microsoft officials say hackers linked to the Russian intelligence service, SVR, appear to have launched another supply chain attack — this time on a company that allowed the intruders to slip into the computer networks of a roster of human rights groups and think tanks.

Microsoft said it discovered the breach this week and believes it began with hackers breaking into an email marketing company called Constant Contact, which provides services to, among others, the United States Agency for International Development.

Once they had broken in, the hackers sent out emails that looked like they came from USAID. Those emails contained links, and when the recipients clicked on them, quietly loaded malware into their systems, allowing the hackers full access. They could read emails, steal information and even plant additional malware for use later.

Tom Burt, vice president of customer security and trust at Microsoft, told NPR in an interview that the hackers appeared to be learning as they went along, customizing their malware packages depending on the target. "Even before the malware gets installed," he said, "they're doing some things to help them understand the environment that they are going to try to install the malware into, so they can pick the right malware package."

The reason that's important is because it is yet another indication that a nation-state actor is involved. As a general matter, common cyber criminals don't target these kinds of institutions or tailor their malware in this way. Microsoft said about 150 organizations may have fallen prey to the hack, with some 3,000 possible compromised accounts, though they think the number will probably end up much lower than that.

The latest attack follows the discovery earlier this year of a sweeping supply chain hack against a Texas software company called SolarWinds. In that case, hackers linked to the SVR are thought to have slipped into the company's development environment and swapped their version of a software update with the one SolarWinds had produced.

In that case they are thought to have compromised a list of U.S. companies and a handful of government institutions including the Treasury Department, Homeland Security and even the Pentagon.

The Biden administration responded to that breach by leveling more sanctions on Russia and expelling some of its diplomats. President Biden warned Moscow not to embark on these kinds of supply chain attacks, but it appears not to have deterred them. Burt told NPR that Microsoft is certain Russia is behind the latest breach and a good case could be made that it is the same group that targeted SolarWinds.

"We can really be strong about our conclusion that this is a group operating from Russia," Burt told NPR. "The association with the SVR comes from the techniques we see them using and from the kinds of targets they are targeting. So it's a collection of circumstantial evidence, you might say, that point in a consistent direction."

The group behind SolarWinds is known as ATP29, or Cozy Bear. Burt said that his team saw lots of techniques in the hack that overlapped with those Cozy Bear had used in the past but he stopped short of saying unequivocally that they are behind it. It is possible, Burt said, that a subset of the group launched the latest attack.

What SolarWinds and the latest breach have in common — aside from the Russian thread — is that they are both considered supply chain attacks. The hackers didn't directly target the companies or institutions in which they were interested, instead they focused on their suppliers, finding a company further down the supply chain, like a software company, and hacked them instead.

The big question now is what the Biden administration's response will be. President Biden is scheduled to hold a summit with Russian President Vladimir Putin in less than three weeks. White House officials told reporters the meeting is going ahead as scheduled.

Editor's Note: Both Microsoft and Constant Contact are financial supporters of NPR.

Copyright 2021 NPR. To see more, visit


San Diego News Now podcast branding

San Diego news; when you want it, where you want it. Get local stories on politics, education, health, environment, the border and more. New episodes are ready weekday mornings. Hosted by Anica Colbert and produced by KPBS, San Diego and the Imperial County's NPR and PBS station.

  • Need help keeping up with the news that matters most? Get the day's top news — ranging from local to international — straight to your inbox each weekday morning.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Curious San Diego banner

Want more KPBS news?
Find us on Twitter and Facebook, or sign up for our newsletters.

To view PDF documents, Download Acrobat Reader.