Microsoft on Thursday said that Russian, Chinese and Iranian hackers are trying to spy on people linked to the campaigns of President Donald Trump and his Democratic rival, Joe Biden ahead of the U.S. election in November 2020.
“In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns,” said Tom Burt, Corporate Vice President of Customer Security and Trust with Microsoft, in a comprehensive Thursday post.
“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the US government and others have reported.”
The attackers have been active against political campaigns, think tanks, advocacy groups, parties, and political consultants not only in the U.S. but in Europe as well, Microsoft said.
According to Burt, the majority of attacks were detected and stopped by Microsoft’s security tools and the targets notified.
Strontium also known as ATP28 or Fancy Bear, is a cyber-attack unit allegedly associated with Russian military intelligence, the GRU. It is also primarily responsible for the attacks on the Democratic presidential campaign in 2016.
The group has targeted more than 200 organizations all over the world between September 2019 and today, which include targets such as:
- U.S.-based consultants serving Republicans and Democrats;
- Think tanks such as The German Marshall Fund of the United States and advocacy organizations;
- National and state party organizations in the U.S.; and
- The European People’s Party and political parties in the UK.
According to Microsoft’s Threat Intelligence Center (MSTIC) investigation, Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations.
In 2016, the group primarily depended on spear-phishing to capture people’s log-in credentials or compromise their accounts. However, in recent months, it has engaged in brute force attacks and password spray, to automate aspects of their operations.
Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. The group even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.
Zirconium also known as APT31, operating from China, has attacked high-profile individuals associated with the election. Its targets have included individuals in two categories.
The first category is targeting people closely associated with U.S. presidential campaigns and candidates.
For instance, it appears to have indirectly and unsuccessfully targeted people associated with the Joe Biden for President campaign through non-campaign email accounts, as well as attacked at least one individual formerly linked with the Trump Administration.
On the other hand, the second category is targeting prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations including the Atlantic Council and the Stimson Center.
“Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account,” explained Burt.
“Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
Thousands of attacks from Zirconium were detected by Microsoft between March 2020 and September 2020 resulting in nearly 150 compromises. The activity was also spotted by Google back in June.
The Iranian group, Phosphorus, also known as APT35 or Charming Kitten APT 35, or Ajax Security Team, has attempted to access the personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election.
These attacks are a continuation of a campaign that started last year, which was detected by Microsoft and disclosed in October 2019.
Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff.
In March 2019, Microsoft used court orders by the U.S. District Court for Washington D.C to take control of 99 websites that Phosphorus used to conduct its hacking operations. Last month, the company used the same method to take control of another 25 new internet domains bringing its total to 155 domains formerly owned by Phosphorus.
Concluding the detailed investigation on the attacks carried out by Russian, Chinese and Iranian hackers, Burt added, “We disclose attacks like these because we believe it’s important the world knows about threats to democratic processes. It is critical that everyone involved in democratic processes around the world, both directly or indirectly, be aware of these threats and take steps to protect themselves in both their personal and professional capacities.
“We report on nation-state activity to our customers and more broadly when material to the public, regardless of the actor’s nation-state affiliation. We are taking extra steps to protect customers involved in elections, government and policymaking. We’ll continue to disclose additional significant activity in our efforts to defend democracy.”