Play Live Radio
Next Up:
0:00
0:00
Available On Air Stations

What We Know About The Russian Phishing Hack

SCOTT SIMON, HOST:

We learned this week that thousands of accounts at 150 different humanitarian organizations were breached in an attack that was first disclosed by Microsoft.

Dina Temple-Raston of NPR's investigations team has been tracking the recent Russian hacking operations and joins us. Dina, thanks for being with us.

DINA TEMPLE-RASTON, BYLINE: You're welcome.

SIMON: And what can you tell us about what happened?

TEMPLE-RASTON: So Microsoft's cybercrimes team found these hackers. And they were in the systems of a group of international development organizations. And what they think happened is that the hackers broke into an email marketing company that USAID was using, a company called Constant Contact. And once the hackers had broken in, they sent phishing emails out to other organizations. But those emails looked like they were coming from USAID. And when people got those emails and clicked on the links inside of them, unbeknownst to them, they were installing malware on their networks. And the malware essentially allowed the hackers to read their emails, to steal information and even plant more malware.

SIMON: We should mention that Constant Contact is one of NPR's funders. Dina, do we know who's behind the hack?

TEMPLE-RASTON: Well, yes. I talked to Tom Burt yesterday. He's the vice president of customer security and trust at Microsoft. And he told us that it's pretty clear these hackers were linked to the Russian intelligence service known as the SVR. Here he is.

TOM BURT: The association with the SVR comes from what - the techniques we see them using and from the kinds of targets that they are targeting. So it's a collection of circumstantial evidence, you might say, that point in a consistent direction.

TEMPLE-RASTON: And he says they think that it actually was a subset of the Russian group that hacked SolarWinds. They are also known as APT29 or Cozy Bear. And Microsoft thinks this because they saw a lot of the techniques and code that they saw in this new hack seemed to overlap with things that Cozy Bear had done in the past. And they didn't want to say unequivocally that it's the exact same people that hacked SolarWinds. Maybe it's a subset. But what they're not equivocating about is that this hack came from Russia. And Scott, the reason that's important is because it's yet another indication that a nation-state actor was involved. Your average cybercriminal - they don't target these kinds of institutions, and they certainly don't take the time to tailor their malware like they did in this case.

SIMON: Dina, in a world in which hacks have now become everyday occurrences, how significant is this particular hack?

TEMPLE-RASTON: The hack isn't such a big deal. Microsoft appears to have spotted this one pretty quickly. But it's the context in which it arrives that's really important. After the major SolarWinds breach, President Biden told the Russians to stop. And he took some real steps. He launched sanctions - or more sanctions, even - expelled diplomats. And that doesn't seem to have been enough.

And while this hack isn't nearly as sophisticated as the SolarWinds hack, it's the same kind, something called a supply chain attack. So that means that the hackers didn't directly target the companies or institutions they were interested in, but instead, they focused on suppliers, finding a company sort of further down the chain. And now here we are with the same group from Russia launching yet another supply chain attack.

SIMON: And President Biden is scheduled to meet with Vladimir Putin in June. How does this hack play into any discussions that they might have?

TEMPLE-RASTON: Well, that's a big question. I mean, what will the U.S. response be? President Biden has already warned Russia not to do these supply chain hacks. And now, like a finger in his eye, they've launched another one. So the question really is whether this is going to force the U.S. to respond in some way.

SIMON: Dina Temple-Raston of NPR's investigations unit, thank you so much.

TEMPLE-RASTON: You're welcome. Transcript provided by NPR, Copyright NPR.