Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
US Election Hack Attacks Traced to Russia, China, IranMicrosoft: Democratic and Republican Campaigns Targeted; Most Attacks Blocked
Russian, Chinese and Iranian hackers are targeting organizations and individuals associated with the Republican and Democratic U.S. presidential campaigns, Microsoft reports.
The attacks against the parties, campaigns and consultants - the majority of which so far appear to have been blocked - have been attributed by Microsoft's Threat Intelligence Center to Russia's Strontium gang, aka APT 28 and Fancy Bear; China's Zirconium APT group; and Iran's Phosporus APT group.
One attack, Reuters reports, targeted staff at Washington-based SKDKnickerbocker. The campaign strategy firm is working with Democrat Joe Biden - his party’s presidential nominee.
"The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported," Microsoft says. The security researchers emphasized that operations associated with both President Donald Trump and Democratic presidential candidate former Vice President Joe Biden are being targeted.
Primary Threat: Russia
John Hultquist, senior director of analysis at Mandiant Threat Intelligence, tells Information Security Media Group that Russian activity continues to pose the greatest risk, not least because Russia's GRU military intelligence agency waged an election interference campaign in 2016 (see: Senators Seek Sanctions for Election Interference).
"The targeting of political organizations is a common feature of cyber espionage,” he says. “Parties and campaigns are good sources of intelligence on future policy, and it's likely Iranian and Chinese actors targeted U.S. campaigns to quietly collect intelligence. But APT28's [aka Strontium's] unique history raises the prospect of follow-on information operations or other devastating activity," Hultquist says.
Analysis: Strontium, aka APT28
Since September 2019, Strontium, which is apparently linked to the Russian government, has attempted to attack more than 200 election-related organizations, including political campaigns, advocacy groups, parties and political consultants, according to Microsoft's Threat Intelligence Center (see: Final Report: More 2016 Russian Election Hacking Details).
"Similar to what we observed in 2016, Strontium is launching campaigns to harvest people's log-in credentials or compromise their accounts, presumably to aid in intelligence gathering or disruption operations. Many of Strontium's targets in this campaign are directly or indirectly affiliated with the upcoming U.S. election as well as political and policy-related organizations in Europe," Microsoft says.
Since 2016, Strontium has updated its tactics, adding new reconnaissance tools and obfuscation techniques, Microsoft says. The APT group now focuses on brute-force and password-spray attacks, and runs these attacks through more than 1,000 constantly rotating IP addresses, many of which use the Tor anonymizing network.
Microsoft says it has detected thousands of attacks by the Chinese group Zirconium since March, resulting in about 150 compromises. The group's apparent goal is to gain intelligence on organizations and individuals associated with the U.S. presidential election campaigns.
"For example, it appears to have indirectly and unsuccessfully targeted the 'Joe Biden for President' campaign through non-campaign email accounts belonging to people affiliated with the campaign,” Microsoft says. “The group has also targeted at least one prominent individual formerly associated with the Trump administration.”
It says Zirconium also targeted academics and individuals involved in the international affairs community, hitting more than 15 universities and accounts tied to 18 international affairs and policy organizations, including the Atlantic Council and the Stimson Center (see: Election Security: A Progress Report From CISA's Krebs).
The gang's tactics include using "web bugs" or web beacons - referring to techniques for tracking when online users have accessed content - in conjunction with domains it has purchased and populated with content, Microsoft says. Attackers then send the website's URL to a target, allowing individuals to be tracked. To outsiders, however, such activity may appear innocuous; web beacons are widely used by online advertisers.
"Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site,” the report states. "For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
Phosphorus Attacks Tracked
Researchers have also tracked some recent activity tied to Iran. Between May and June, the Tehran-tied Phosphorus hacking group unsuccessfully attempted to log into the accounts of Trump administration officials and the Trump presidential campaign staff, Microsoft reports.