Microsoft Warns of Cyberattacks From Russia, China & Iran Ahead of U.S. Election

Microsoft on Thursday confirmed widespread cyberattacks launched by foreign adversaries from Russia, China, Iran against organizations and people associated with the 2020 U.S. presidential election.  

Microsoft on Thursday made public the malicious attempts at influencing the upcoming 2020 U.S. presidential election. With just over 50 days remaining for election day, hackers are going for key figureheads, staff, and even consultants. 

The disclosure isn’t all that surprising considering William Evanina, the Director of the United States National Counterintelligence and Security Center (NCSC) warned the public in July. He mentioned covert and overt measures are being undertaken by foreign actors/states to “sway U.S. voters’ preferences and perspectives, shift U.S. policies, increase discord in the United States, and undermine the American people’s confidence in our democratic process.”

Besides, one of the groups that is actively targeting organizations and individuals, according to Microsoft, also influenced 2016 presidential election in favor of Trump. John HultquistOpens a new window , Director of Intelligence Analysis at FireEye told Security WeekOpens a new window , “This is the actor from 2016, potentially conducting business as usual. We believe that Russian military intelligence continues to pose the greatest threat to the democratic process.”

The 2016 election was marred by controversy with suspicions of tampering and interference, mainly from Russia. However, the report by the special counsel and former FBI Director Robert Mueller failed to link Trump allegedly being in cahoots with Russia. 

See Also: NSA Sounds Alarm About U.S. Election Tampering | August 14, 2020

The NCSC in their July updateOpens a new window warned Russia, China, and Iran may try to influence U.S. election for various reasons. Microsoft’s latest report confirms those suspicions by discovering three adversarial groups, namely Strontium (Russian), Zirconium (Chinese), and Phosphorus (Iranian) that are actively targeting organizations and individuals involved in the 2020 election.  

Tom BurtOpens a new window – Corporate Vice President, Customer Security & Trust at Microsoft said that the company has been monitoring these activities for several months. The software giant is also notifying targets as well as those that were compromised and claimed most attacks were thwarted by built-in security tools in Microsoft products. Burt said, “The majority of these attacks were detected and stopped by security tools built into our products. We have directly notified those who were targeted or compromised so they can take action to protect themselves.”

Microsoft Threat Intelligence Center (MSTIC) sheds light on the three malicious groups. Let us take a closer look at each of them:

Strontium | Russia

Also known as APT28 or Fancy BearOpens a new window , the group hacks credentials and gains access to intelligence about election campaigns which they use to disrupt planned activities. According to the Mueller Report, Strontium or Fancy Bear was also allegedly a prime organization behind the attacks on 2016 U.S. elections.

In 2016, Strontium primarily relied on spear phishing campaigns. These have now evolved to brute force attacks and password spraying along with spear phishing. To conceal the identity of the attackers, the threat actors obscured the attacks through constant redirects across 1000 IP addresses. The group even leveraged Tor for their malicious operations. 

Russia’s Strontium has carried out attacks against 200 organizations associated with the 2020 election, including political campaigns, advocacy groups, parties and political consultants. Targets also include organizations from entertainment, hospitality, manufacturing, financial services and physical security industries. Besides those from the U.S., European organizations involved in political and policy-related activities were also targeted.

Some examples:

• U.S. based consultants serving Republicans and Democrats
• Think tanks such as The German Marshall Fund and advocacy organizations
• National and state party organizations in the U.S.
• The European People’s Party and political parties in the UK

See Also: How Is Big Tech Fighting To Save U.S. Elections 2020?

Zirconium | China

Microsoft observed thousands of attacks by Zirconium group between March 2020 and September 2020. Their prime targets included anyone having an association with U.S. presidential campaigns regardless of the target’s political affiliation.

They also targeted prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations, including the Atlantic Council and the Stimson Center.

The Chinese group, also known as APT31Opens a new window uses web bugs (web beacons), an object file used to spy on the target. Web bugs through files such as .gif, .png, .jpeg, etc., are embedded in a website, within an email or any other HTML-enabled service. They are used largely to track users visiting a website. “For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active,” Burt explained.

Zirconium’s activities from March through September this year resulted in account compromises of at least 150 users. 

Phosphorus | Iran

Also known as APT35, the group is likely backed by the Iranian government. Last year, between August and September, Phosphorus group undertook 241 attacks against Microsoft consumers.

In response to the attackers, Microsoft took over 155 web domains previously owned by Phosphorus through a court order. 

Microsoft revealed malicious attempts to take over  accounts of administration officials and President Trump by the Phosphorus group between May and June 2020. The Iranian group was also behind attacks on both personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election. 

Thea McDonaldOpens a new window , Deputy Press Secretary for Trump’s re-election campaign told Security WeekOpens a new window , “We are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff.” 

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!