SolarWinds hackers are behind a widespread phishing campaign impersonating USAID, Microsoft says

It's a sign that the hackers are experimenting with new tactics.
(Jeenah Moon/Getty Images)

The same Russian spies who exploited SolarWinds software to infiltrate U.S. government agencies have in the last week launched a phishing campaign that aimed to hack some 150 organizations in 24 countries, Microsoft said Thursday.

The suspected Russian hackers have posed as the U.S. Agency for International Development, a government agency that funds aid projects around the world, to target some 3,000 individual accounts in a blitz of phishing emails since May 25, Microsoft said in a blog post. The majority of the target organizations are in the U.S., and at least a quarter of them work in international development, humanitarian aid and human rights, Microsoft said.

The hackers blasted out the nefarious messages by using a breached account that USAID uses to send marketing emails, according to Tom Burt, Microsoft’s corporate vice president for customer security and trust. A USAID spokesperson said that a forensic investigation into the breach is ongoing.

It’s unclear how successful the campaign was, if at all. Microsoft said most of the malicious emails were blocked, but that some of the emails may have successfully reached the hackers’ targets.


Microsoft said the new campaign is a sign that the hackers, whom the White House has tied to Russia’s SVR foreign intelligence agency, could be experimenting with different tactics after having their infiltration of major technology providers like federal contractor SolarWinds exposed.

“By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem,” Burt said.

Security firm Volexity on Thursday reported on some of the same activity. Microsoft, though, made it clear that the alleged Russian hacking campaign is broader in scope than previously known. And the tech giant pointed the finger at the same Russian group accused of bugging the SolarWinds software.

Moscow denies involvement in the so-called SolarWinds campaign, which has breached nine U.S. agencies and some 100 companies, according to the White House. It has been a significant source of friction in the U.S.-Russia relationship and looms large as Presidents Joe Biden and Vladimir Putin prepare to meet in Switzerland next month.

SVR-linked hackers were also involved in the breach of the Democratic National Committee ahead of the 2016 U.S. election, according to U.S. intelligence agencies. The hackers’ latest campaign shows they continue to take a keen interest in exploiting misinformation around the U.S. electoral process.


One of the phishing emails contains a document purporting to come from USAID claiming that former President Donald Trump has “published new documents on election fraud.”

“The ‘Trump election fraud’ link in the fake email is the chef’s kiss in the continuing misinformation campaign to stoke division within the American people,” tweeted Maurice Turner, a former official at the U.S. Election Assistance Commission. “Russia is choosing escalation [and] embarrassment in the face of US cyber deterrence strategy.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts