Microsoft Corp. has detected and seized web domains created by cyber-attackers linked to the Russian military, in a potential attempt to manipulate and disrupt the U.S. midterm elections.
The shadowy group, known as Strontium, created domains that mimicked organizations such as the International Republican Institute and Hudson Institute so intended victims would believe they were receiving emails or visiting real sites, Microsoft President Brad Smith said in a blog post. Microsoft said it’s sifting through evidence of the group’s intentions after getting a court order to take over those domains, effectively disrupting the hacking campaign.
The two targeted institutions are conservative bastions, which at times have been at odds with Russia or U.S. President Donald Trump. Russia rejected Microsoft’s accusations that it was attempting to influence upcoming U.S. elections, which will determine control of Congress, Interfax reported Tuesday, citing an unidentified diplomatic official.
Russia is accused of trying to sway the vote in 2016 through disinformation campaigns and targeted hacking, setting in motion a fiery dispute between Trump and Democrats. Even before Microsoft’s warning, top U.S. national security officials had sounded the alarm of further meddling in the midterms. At least three congressional candidates have already been hit with phishing attacks that strongly resemble Russian sabotage two years ago.
The U.S. Congress is considering measures that would impose more sanctions on Russia if it’s found to be meddling in the midterms. Hearings are scheduled Tuesday in the Senate Banking and Foreign Affairs committees on the sanctions’ effectiveness and the prospect of more penalties, including those targeting energy companies, banks, mining interests and new Russian sovereign debt.
“Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems,” Smith said in the blog post. “These domains show a broadening of entities targeted by Strontium’s activities.”
Would-be hackers set up legitimate-sounding websites and domains from which emails can be sent, say in a phishing attack. Microsoft said it’s found no evidence so far that the half-dozen domains in the latest case were employed in successful attacks, nor who any intended targets may have been. It said it’s notified and is working with the affected organizations.
The Hudson Institute has been critical of Russia in the past, while the International Republican Institute promotes democracy around the world and counts six Republican senators as well as a leading candidate among its directors, Microsoft said. Those include John McCain — one of Trump’s most vocal critics in Congress — and former presidential candidate Mitt Romney. Both have criticized Trump’s interactions with Russia’s Vladimir Putin, particularly around a July summit meeting in Helsinki. In 2016, Russia blacklisted the institute as a threat to its national security.
Both Republicans and Democrats in Congress have called for tough measures against Russia after Trump was seen as too conciliatory toward Putin in Helsinki.
While Trump has said “nobody’s been tougher on Russia than I have,” he has continued to waver on his acceptance of the finding by U.S. intelligence agencies that Russia interfered in the 2016 presidential campaign and especially the conclusion that the goal was to help him win.
Many of the sanctions that have been imposed on Russia so far have been required by new or long-standing legislation passed by Congress, such as the State Department’s move this month to punish Putin’s government for the nerve-agent attack on a former spy and his daughter in the U.K.
In the latest example, Strontium also established a trio of domains that carried the “senate” keyword, and one that appeared to be from Microsoft’s own Office365 suite of cloud software. The company said it’s been monitoring domain activity with U.S. Senate IT staff for months, after previously uncovering attempted attacks on the staff of two senators.
International tension over cybersecurity has escalated since the U.S. intelligence community concluded that Russia meddled in the 2016 presidential election with the goal of hurting Democratic candidate Hillary Clinton. Strontium is known also as Fancy Bear or APT28 and has been linked to the Russian government and U.S. political hacks. The group has been associated with attacks also against the White House, NATO, European governments and business concerns.
In 2016, Microsoft attributed more so-called zero-day exploits — attacks taking advantage of security holes unknown to the product’s vendor — to Strontium than any other group it tracks.
“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Smith wrote. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”