Microsoft Thwarts Russia Hackers Targeting GOP Critics of Trump

(Bloomberg) -- Microsoft Corp. has detected and seized web domains created by cyber-attackers linked to the Russian military, in a potential attempt to manipulate and disrupt the U.S. midterm elections.

The shadowy group, known as Strontium, created domains that mimicked organizations such as the International Republican Institute and Hudson Institute so intended victims would believe they were receiving legitimate emails or visiting real sites, Microsoft President Brad Smith said in a blog post. Microsoft said it’s sifting through evidence of the group’s intentions after getting a court order to take over those domains, effectively disrupting the hacking campaign.

The two targeted institutions are conservative bastions, which at times have been at odds with Russia or U.S. President Donald Trump. Russia rejected Microsoft’s accusations that it was attempting to influence upcoming U.S. elections, which will determine control of Congress, Interfax reported Tuesday, citing an unidentified diplomatic official.

Russia is accused of trying to sway the vote in 2016 through disinformation campaigns and targeted hacking, setting in motion a fiery dispute between Trump and Democrats. Even before Microsoft’s warning, top U.S. national security officials had sounded the alarm of further meddling in the midterms. At least three congressional candidates have already been hit with phishing attacks that strongly resemble Russian sabotage two years ago.

Cybersecurity firms Recorded Future and FireEye both said the behavior Microsoft identified is consistent with the group’s past operations. Analysts said they expect to see more operations like this.

“There is no doubt these types of attacks will continue through the midterm and 2020 elections so far as the political gain has vastly outweighed the costs,” said Priscilla Moriuchi, director of strategic threat development at Recorded Future. “Unless Russia is confronted with real-world economic and political consequences, these attacks against American democratic institutions will persist.”

The U.S. Congress is considering measures that would impose more sanctions on Russia if it’s found to be meddling in the midterms. The Senate Banking and Foreign Affairs committees held hearings Tuesday on the sanctions’ effectiveness and the prospect of more penalties, including those targeting energy companies, banks, mining interests and new Russian sovereign debt.

Citing the Microsoft report, Democrat Sherrod Brown of Ohio said at the Senate Banking hearing that “true to form the Kremlin promptly denied involvement. That is nonsense. The president should call it that, and forcefully respond.”

Brown said Trump and Congress need to do more but “so far, the president has basically been AWOL, undercutting even modest efforts of professionals” in Treasury and other departments.

Republican Senator Lindsey Graham of South Carolina said in an interview that the Microsoft report shows that what’s been done so far “isn’t working” and underscores the need for added sanctions legislation.

Would-be hackers set up legitimate-sounding websites and domains from which emails could be sent, as in a phishing attack. Microsoft said it’s found no evidence so far that the half-dozen domains in the latest case were employed in successful attacks, nor who any intended targets may have been. It said it has notified and is working with the affected organizations.

“Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems,” Microsoft’s Smith said in the blog post. “These domains show a broadening of entities targeted by Strontium’s activities.”

The group, otherwise known as APT28 or Fancy Bear, is an intelligence-gathering operator, whose “primary mission is to provide Russian policy makers with insight into Russia’s advisories” by collecting information quietly, said John Hultquist, director of intelligence analysis at FireEye.

APT28 is a key part of Russia’s cyber-operational capability and is attributed to that country’s military intelligence organization, Moriuchi explained. It’s previously targeted U.S., Eastern European, and western government agencies, the World Anti-Doping Agency and the Democratic National Committee. “APT28 is highly politically responsive and conducts both traditional cyber-espionage and cyber-influence operations,” she said.

While espionage against governments and think tanks is business as usual worldwide to a certain extent, Hultquist warned that the government must act carefully and take precautions.

The Hudson Institute has been critical of Russia in the past, while the International Republican Institute promotes democracy around the world and counts six Republican senators as well as a leading candidate among its directors, Microsoft said. Those include John McCain -- one of Trump’s most vocal critics in Congress -- and former presidential candidate Mitt Romney. Both have criticized Trump’s interactions with Russia’s Vladimir Putin, particularly around a July summit meeting in Helsinki. In 2016, Russia blacklisted the institute as a threat to its national security.

Both Republicans and Democrats in Congress have called for tough measures against Russia after Trump was seen as too conciliatory toward Putin in Helsinki.

While Trump has said “nobody’s been tougher on Russia than I have,” he has continued to waver on his acceptance of the finding by U.S. intelligence agencies that Russia interfered in the 2016 presidential campaign and especially the conclusion that the goal was to help him win.

Many of the sanctions that have been imposed on Russia so far have been required by new or long-standing legislation passed by Congress, such as the State Department’s move this month to punish Putin’s government for the nerve-agent attack on a former spy and his daughter in the U.K.

In the latest example, Strontium also established a trio of domains that carried the “senate” keyword, and one that appeared to be from Microsoft’s own Office365 suite of cloud software. The company said it’s been monitoring domain activity with U.S. Senate IT staff for months, after previously uncovering attempted attacks on the staff of two senators.

International tension over cybersecurity has escalated since the U.S. intelligence community concluded that Russia tampered in the 2016 presidential election with the goal of hurting Democratic candidate Hillary Clinton. The group has also been associated with attacks against the White House, NATO, European governments and business concerns.

In 2016, Microsoft attributed more so-called zero-day exploits -- attacks taking advantage of security holes unknown to the product’s vendor -- to Strontium than any other group it tracks.

“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Smith wrote. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

©2018 Bloomberg L.P.