Microsoft warns of state-backed hackers targeting US elections

Microsoft has warned that in recent weeks it has detected cyber attacks targeting people and organisations involved in the upcoming US presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns.

A blog post from Tom Burt, the tech giant’s corporate vice president for customer security and trust, explained that the activity makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election, as had been anticipated.

Microsoft’s security teams have observed that Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants.

Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community.

Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald Trump for President campaign.

The majority of these attacks were detected and stopped by security tools built into Microsoft products, but Burt stated that they underscore the importance of work underway at the United Nations to protect cyberspace and initiatives like the Paris Call for Trust and Security in Cyberspace.

Explaining the threat actors in greater detail, the post said that Strontium is an activity group operating from Russia whose activities Microsoft has tracked and taken action to disrupt on several previous occasions.

It was also identified in the Mueller report as the organisation primary responsible for the attacks on the Democratic presidential campaign in 2016.

Microsoft’s Threat Intelligence Center (MSTIC) observed a series of attacks conducted by Strontium between September 2019 and today. It has launched campaigns to harvest people’s log-in credentials or compromise their accounts, presumably to aid in intelligence gathering or disruption operations.

MSTIC’s investigation revealed that Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations. In 2016, the group primarily relied on spear phishing to capture people’s credentials, but in recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations.

Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymising service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.

Meanwhile China’s Zirconium hacking group has attempted to gain intelligence on organisations associated with the upcoming election.

“We’ve detected thousands of attacks from Zirconium between March 2020 and September 2020 resulting in nearly 150 compromises,” read Burt’s post, adding that its targets have included individuals in two categories.

First, the group is targeting people closely associated with presidential campaigns and candidates, and second, it is targeting prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international policy units.

Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.

Finally, Phosphorus is an activity group operating from Iran that MSTIC has tracked for several years. The actor has operated espionage campaigns targeting a wide variety of organisations traditionally tied to geopolitical, economic or human rights interests in the Middle East region.

Microsoft has previously taken legal action against Phosphorus’ infrastructure and its efforts late last year to target a presidential campaign. Last month, as part of ongoing efforts to disrupt Phosphorus activity, Microsoft was again given permission by a federal court in Washington DC to take control of 25 new internet domains used by the Phosphorus.

“Since our last disclosure, Phosphorus has attempted to access the personal or work accounts of individuals involved directly or indirectly with the US presidential election,” read the statement. “Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald Trump for President campaign staff.”

Burt concluded the post by calling for more federal funding to help states better protect their election infrastructure.

“We continue to encourage state and local election authorities in the US to harden their operations and prepare for potential attacks,” he wrote. “But as election security experts have noted, additional funding is still needed, especially as resources are stretched to accommodate the shift in COVID-19-related voting.”

Commenting on the new, William Dixon, cybersecurity lead at the World Economic Forum, said these latest attacks constitute the emergence of new strategic “red lines” being drawn in cyberspace - adding that for some, attacks on the integrity of election processes might be a step too far.

"There has to be concerted efforts to educate voters on malicious activity, secure election infrastructure and build better collective cyber resilience - critically, an outstanding issue is how to identity and address inauthentic behaviour on social media platforms to stop them potentially been used by hostile actors."

Dixon added: "Ultimately though, these measures will only go so far; the fundamental challenge is how we foster better international cooperation in cyberspace, and increase dialogue to agree on the fundamental principles we expect from all participants."

    Share Story:

Recent Stories