US cyber firms: Kremlin-linked hackers may have impersonated State Dept. employee

US cyber firms: Kremlin-linked hackers may have impersonated State Dept. employee
© Thinkstock

Kremlin-linked hackers may be behind a campaign to infect U.S. networks through impersonating State Department employees, according to a pair of U.S. cybersecurity firms.

Crowdstrike and FireEye told The Hill on Friday that for the past two days cyber actors have sent emails designed to look as though they're originating from the account of a State Department public affairs staffer, and that the emails include links to a compromised website.

The firms said they are attempting to attribute the source of the phishing emails, while noting that the actions appear to be similar to those of a hacking group linked to the Russian government.

ADVERTISEMENT

A State Department spokesperson told The Hill that the agency is aware of the findings of the two cyber firms and that the actions are “indicative of the kind of common malicious activity that affects many organizations.”

The spokesperson said that the department has a program dedicated to protecting government employees from cyber threats, but that State “cannot get into the details surrounding our cyber defenses and threat analysis programs and capabilities.”

The phishing campaign was first reported by Reuters.

The emails were sent to accounts of people working in a variety of fields, including think tanks, law enforcement and government agencies.

Russian actors have used phishing campaigns in the past to hack into networks, as they did in 2016 when they accessed the Democratic National Committee (DNC).

This campaign is also notable for its timing, just days after the Nov. 6 midterm elections. U.S. election officials have said they did not detect any successful malicious cyber activity during the midterms, but noted that it could be weeks or months before an attack could be identified.

FireEye said there was no sign that the State Department network was used in this most recent campaign, but that the attacker was able to compromise a hospital and a consulting firm and send the emails through those networks.