Microsoft says Russian hackers are behind latest phishing attack on U.S. government

Microsoft says the same group of Russian hackers responsible for the SolarWinds hack have struck again, launching another cyberattack on several foreign and domestic agencies. According to Microsoft, the group targeted 3,000 email accounts at more than 150 organizations in an apparent phishing attack. Jamil Jaffer, senior vice president at IronNet Cybersecurity and the lead architect of the Cyber Intelligence Sharing and Protection Act, joins CBSN to discuss how the group carried out this latest attack against the U.S. government.

Video Transcript

LANA ZAK: Microsoft says the same group of Russian hackers responsible for the SolarWinds attack has struck again, launching another cyber attack on several foreign and domestic agencies. The hackers targeted 3,000 email accounts at more than 150 various organizations in an apparent phishing attack. They were able to carry out the attack by infiltrating an email system used by the State Department's International Aid Agency to fool their targets.

The Cybersecurity and Infrastructure Security Agency told CBS News in a statement, quote, "We are aware of the potential compromise at USAID through an email marketing platform and are working with the FBI and USAID to better understand the extent of the compromise and assist potential victims." The attack comes three weeks after President Biden signed an executive order aimed at bolstering the nation's cybersecurity efforts and better protecting federal government networks.

To understand more about this, joining me now is Jamil Jaffer. He is the senior vice president for Strategy Partnership and Corporate Development at IronNet Cybersecurity and the lead architect of the Cyber Intelligence Sharing and Protection Act. Jamil, good to have you on. According to Microsoft, this is, quote, "a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts." The hack is still in progress, so what's being done to mitigate the damage of this latest breach?

JAMIL JAFFER: Right. Well look, Lana, Microsoft was able to identify a number of indicators of compromise associated with this particular Nobelium attack, including the files that are being utilized, the malware that's being utilize, which they're calling Native Zone. And so they've also identified email accounts from which these emails were coming.

What happened here is really interesting. It's not really sophisticated. It's just sort of standard phishing, but it's a sophisticated play that they went into Constant Contact, a provider for USAID that does USAID's official emails, they obtained that account and then sent out an email from the official USAID account that Constant Contact maintains. So when it came into these 3,000 email address, these 150 organizations, they thought it was a legitimate USAID email because it came from the same place that they're used to getting legitimate emails from.

LANA ZAK: You know, Jamil, I'm not sure if I am heartened or scared by the fact that you say it's not a particularly sophisticated attack, and yet, it seems to have penetrated so deeply and still is ongoing. We know that government agencies, think tanks, and consultants were all targeted in this hack. What do we know about the information that hackers were actually able to obtain from these groups?

JAMIL JAFFER: Yeah, that's a great question. We don't know yet, Lana, exactly how many of these organizations clicked on the malware, how many organizations the malware was installed in, and then whether the Russians actually utilized it, what they've gathered, in part because we caught this pretty quickly. Some of these emails went out as recently as Tuesday, and so this was caught fairly quickly by Microsoft, so good job by them and the government to get on top of this.

This actually demonstrates a good example of when you catch something fast and you're able to get it out how well you can protect the environment. The real key here, though, is this is a provider, Constant Contact providing service to USAID. It demonstrates how poor it is that we come together, these providers, the people they work for, supply chain. We get them together and work together, identify the attacks, and stop them, either as they're ongoing or ideally, before they even happen, so this idea of collected offense, bringing companies together, and the government industry to really defend the nation better.

LANA ZAK: So this is a spear phishing effort. Why is that particular type of cyber attack such an effective method for obtaining information?

JAMIL JAFFER: It's effective because it works, unfortunately. All of us have been victims of spear phishing at some level, even people in cyber security industry. You see this email come in, it looks legitimate, you click on it. What's important about this one is they made it look a lot more legitimate because they came from the right source. They came with legitimate background. This might be on your white list because you already approved emails coming in from Constant Contact because you know they are legitimate for USAID.

So this was a smart move in that sense, but again, like we talked about before, phishing is a pretty standard way, but why use a 0 to exploit or some specialized capability when you can get in using phishing? The malware, on the other hand, that they're deploying is interesting also because it allows you to get on the system, own that box, then move around and look for other places to go inside the network. And that's where it gets really interesting that now, they're able to gather information, infect more computers. Once you're inside, you can elevate privileges and own the entire system.

LANA ZAK: According to Microsoft, the attack was conducted by the same group of Russian hackers that were responsible for the SolarWinds hack last year. How have their methods changed, and what have we learned from these attacks?

JAMIL JAFFER: Yeah. Well, one of the things I think that's common about these two attacks is the supply chain vector. In the case of the SolarWinds attack, they went in through a security provider, they exploited the update cycle there, and were able to get into the software. Here they've gone into another supply chain, provided, this time, an email provider, and they've utilized that to go, not after the agency itself, but after the agency's clients and customers and partners.

And so again, what both of these tell us is that it's not just the agency itself that might be affected. It's all the people they work with, all the people, they spend time with, all the people they fund. And so that's, again, why it's so important when you look at these supply chain attacks, you can't just assume I protected my network. I'm good to go. You'd better protect and help protect the networks of those who you work with, your partners, your customers, and those who supply you information, whether it's a security supplier or an email provider. Again, comes back to the idea of one company standing alone can't do it themselves.

They've got to work together, and that's what, with the Biden administration with their cybersecurity executive order is really important. It talks about bringing government contractors and the government together, same thing needs to happen in private industry and with the government.

LANA ZAK: I want to follow up on this point because Microsoft detected these ongoing phishing attempts. We're talking about President Biden and the administration's efforts to try and mitigate these attacks. Is the government relying, really, on private companies to try and protect our information? How does this work? Ultimately, who should be responsible for protecting our nation's cybersecurity?

JAMIL JAFFER: You know, Lana, that's actually a terrific question. Now, we've always thought about when there are nation states attacking us, it's the job of the government to defend us. You think about if there's a Russian bomber coming over the horizon, we don't expect Target or Walmart to have surface to air missiles on the roof of their buildings to defend against a Russian "Bear" bomber. At the same time, in cyberspace, we've got the exact opposite approach. We expect every single company-- small, large, medium-- to defend against all comers, whether it's a strip kitty in their basement, a criminal hacker gang, or a nation state like Russia, China, Iran, and North Korea.

That might not make sense, but that is where we are today, and the vast majority of our infrastructure is owned by the private sector, and so it's got to be a collaboration. It's got to be companies who work with companies, industries working with industries, and the government industry working together, and at some level, allies working together, also, against common threats, whether that's us in Europe against China or us joining hands, our allies against Russia also.

LANA ZAK: Jamil Jaffer, thank you.

JAMIL JAFFER: Thanks, Lana.