Russian hacking attempts are widening in scope, Microsoft warns

Hackers linked to the Russian government appear to be broadening their attacks in the run-up to November congressional elections, Microsoft said Monday, most recently by impersonating sites for conservative think tanks as well as the US Senate.


Hackers used fake domains to impersonate the Hudson Institute and the International Republican Institute as well as the US Senate in a hijacking campaign that could have allowed them to access personal data or implant malware. Such “spear-fishing” cyber attacks are aimed at convincing victims to enter their user names and passwords on the fake sites, granting hackers access to their credentials.

“We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” Microsoft President Brad Smith said in a statement published on the company’s website.

He said the company’s Digital Crimes Unit had executed a court order last week to transfer control of six fraudulent Internet domains from the Russian hacking collective known as Strontium (also known as Fancy Bear, APT28 and other names) to Microsoft. A federal judge in Virginia appointed a “special master” in 2016 to authorize Microsoft to seize control of fake sites.

Several Western intelligence agencies believe Strontium is run by Russia’s GRU military intelligence agency, which consistently deniesany links to the hackers.

“[W]e are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Smith said.

The Hudson Institute has held events on dismantling Russian international crime organizations and others critical of Russian foreign policy. In April 2016 theInternational Republican Institute launched the Beacon Project, a program it said was “aimed at countering the increasing threat of Russian soft power and propaganda” by partnering with European political parties and think tanks.

Microsoft said it had shut down 84 fraudulent websites over the past two years.

The company is also making “state-of-the-art cybersecurity protection” available for free to “all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack”.

Smith said there was no evidence so far that hackers had succeeded in fooling anyone into clicking on the fraudulent sites. And with each new attempt, cyber attacks are becoming more recognizable.

“Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France,” he said.

US Special Counsel Robert Mueller – who is investigating Russian attempts to influence the 2016 election, including through cyber attacks – indicted 12 Russian intelligence officers in July for their alleged roles in hacking the Democratic National Committee and members of the Hillary Clinton campaign. Two GRU units are accused of stealing emails and documents as well as installing malware.

According to the indictment, they then disseminated “tens of thousands” of these stolen documents and emails using online personas including “DCLeaks” and “Guccifer 2.0”.

After the US presidential election, cybersecurity companies discovered several websites created by Russian hackers to mimic those of well-known institutions, the New York Times reported. Among those targeted were the Council on Foreign Relations, the Eurasia Group, Transparency International in Berlin and the International Institute for Strategic Studies in London.

Facebook said last month it had deactivated 32 fake pages and accounts it suspected were part of a foreign interference campaign ahead of November’s congressional elections.

“We don’t know what hackers they are talking about,” Kremlin spokesman Dmitry Peskov told reporters on Tuesday in response to the Microsoft announcement.

“Who exactly are they talking about? We don’t understand what proof and what the basis is for them drawing these kind of conclusions.”

A third of House candidates vulnerable

The new revelations come just weeks after Microsoft discovered that the computer network of Senator Claire McCaskill, a Missouri Democrat running for re-election, had been targeted unsuccessfully by Russian hackers.

Reuters reported last week that the FBI was investigating a cyber attack on the congressional campaign of David Min, a Democratic candidate who lost a June primary for California’s 45th Congressional district. The FBI is also investigating a cyber campaign against Hans Keirstead, another California Democrat who was defeated in a primary in the 48th Congressional district, Rolling Stone reported.

An independent study unveiled at the annual Def Con security conference in Las Vegas earlier this month found the websites of nearly one-third of candidates for the US House from both parties were vulnerable to attacks.

Joshua Franklin, a former National Institute for Standards and Technology security expert who led the team of four researchers, told Reutersthey found potentially malicious web pages with URLs that closely resembled the candidates’ names. Hackers use a practice known as “typo squatting” or “URL hijacking” – in which they register domains to take advantage of typos in URLs – to build fake sites used in phishing attacks.

The candidates most at risk are those with smaller campaigns and little expertise in cyber security, Franklin said.

But even seasoned political operatives like those on the Clinton campaign can fall prey to more sophisticated attacks.

In an interview with the New York Times published on Tuesday,Professor of Strategic Studies at Johns Hopkins University Thomas Rid said he had doubts about whether cyber security experts can stay one step ahead of the hackers.

“These attacks keep happening because they work,” Rid said. “They are successful again and again.”

“Microsoft is playing whack-a-mole here. These [fake] sites are easy to register and bring back up, and so they will keep doing so.”