On Thursday, Microsoft disclosed that the same Russian intelligence agency behind the SolarWinds attack is using a US agency to mount a wide-scale cyberattack.  The Russian agency gained access to email systems used by the US Agency for International Development, and sent malicious emails to “around 3,000 individual accounts across more than 150 organizations,” according to a Microsoft Threat Alert.

The US Agency for International Development is a State Department agency that focuses on foreign aid. Microsoft warned that this malicious campaign is still ongoing, and some of the emails were sent as recently as this week.

A US Cybersecurity and Infrastructure Security Agency spokesperson said that the agency is “aware of the potential compromise at USAID through an email marketing platform,” and that it’s “working with the FBI and USAID to better understand the extent of the compromise and assist potential victims.”

The disclosure of this new cyberattack comes just over a month after the US officially imposed sanctions against Russia for their alleged involvement in election interference, malicious cyberactivity and the SolarWinds attack.  The SolarWinds attack used corrupted software from SolarWinds to infiltrate US federal agencies and over 100 private companies.

Microsoft disclosed that is has been tracking this most recent cybercriminal activity since January 2021.  But the severity intensified this week when hackers “leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.” Microsoft said that some of these malicious emails may have been caught by spam filters due to the high volume, but other may have made it to intended inboxes as well. Constant Contact, according to a company spokesperson, has disabled the impacted accounts.

“We are aware that the account credentials of one of our customers were compromised and used by a malicious actor to access the customer’s Constant Contact accounts. This is an isolated incident, and we have temporarily disabled the impacted accounts while we work in cooperation with our customer, who is working with law enforcement,” said a spokesperson for Constant Contact.

According to Microsoft, when clicking on the link in the email, it would upload a malicious file that could give hackers “persistent access to compromised systems,” that would allow them to “conduct action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware.”

"(USAID) became aware of potentially malicious email activity from a compromised Constant Contact email marketing account. The forensic investigation into this security incident is ongoing. USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA)," said Pooja Jhunjhunwala, acting spokesperson for USAID.

Story via CNet.com