Microsoft has warned that cyber-attackers linked to the Russian military are once again targeting American political groups, in a potential attempt to manipulate and disrupt the US midterm elections in November.
The shadowy group, known as Strontium, created Web domains that mimicked organisations such as the International Republican Institute and Hudson Institute so intended victims would believe they were receiving e-mails or visiting sites of legitimate organisations, president Brad Smith said in a blog post. Microsoft said it’s sifting through evidence of the group’s intentions after getting a court order to take over those domains, effectively disrupting the hacking campaign.
Russia is accused of trying to sway the vote in 2016 through disinformation campaigns and targeted hacking, setting in motion a fiery dispute between US President Donald Trump and the Democratic opposition. Even before Microsoft’s warning, top US national security officials had sounded the alarm of further meddling in the midterm elections, where control of congress is at stake. At least three congressional candidates have already been hit with phishing attacks that strongly resemble Russian sabotage in the 2016 campaign.
“Unfortunately, the Internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems,” Smith said in the blog post. “These domains show a broadening of entities targeted by Strontium’s activities.”
Would-be hackers set up legitimate-sounding websites and domains from which e-mails can be sent, say in a phishing attack. Microsoft said it’s found no evidence so far that the half-dozen domains in the latest case were employed in successful attacks, nor who any intended targets may have been. It said it’s notified and is working with the affected organisations.
The two targeted institutions are conservative bastions, which have at times been at odds with Russia or Trump. The Hudson Institute has been critical of Russia in the past, while the International Republican Institute promotes democracy around the world and counts six Republican senators as well as a leading candidate among its directors, Microsoft said. Those include John McCain — one of Trump’s most vocal critics in congress — and former presidential candidate Mitt Romney. Both have criticised Trump’s interactions with Russia’s Vladimir Putin, particularly around a July summit meeting in Helsinki. In 2016, Russia blacklisted the institute as a threat to its national security.
In the latest example, Strontium also established a trio of domains that carried the “senate” keyword, and one that appeared to be from Microsoft’s own Office 365 suite of cloud software. The company said it’s been monitoring domain activity with US senate IT staff for months, after previously uncovering attempted attacks on the staff of two senators.
International tension over cybersecurity has escalated since the US intelligence community concluded that Russia meddled in the 2016 presidential election with the goal of hurting Democratic candidate Hillary Clinton and helping elect Trump. Strontium is known also as Fancy Bear or APT28 and has been linked to the Russian government and US political hacks. The group has been associated with attacks also against the White House, Nato, European governments and business concerns.
In 2016, Microsoft attributed more so-called zero-day exploits — attacks taking advantage of security holes unknown to the product’s vendor — to Strontium than any other group it tracks.
“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Smith wrote. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.” — Reported by Edwin Chan, (c) 2018 Bloomberg LP