Microsoft says it has found and dismantled six malicious websites set up by Fancy Bear (APT28), the same Russian hacking group affiliated with Russian military intelligence that broke into the Democratic National Committee during the 2016 election, designed to trick specific political organizations.
U.S. officials have repeatedly warned that the November vote is a major focus for interference efforts. Microsoft said the sites were created over the past several months but did not go into more specifics.
Microsoft’s Digital Crimes Unit took the lead role in finding and disabling the sites, and the company is launching an effort to provide expanded cybersecurity protection for campaigns and election agencies that use Microsoft products.
Among those targeted were the Hudson Institute, a conservative Washington think tank active in investigations of corruption in Russia, and the International Republican Institute (IRI), a nonprofit group that promotes democracy worldwide. Three other fake sites were crafted to appear as though they were affiliated with the Senate, and one nonpolitical site spoofed Microsoft’s own online products.
Microsoft said Monday that it had found no evidence that the fake sites it recently discovered were used in attacks, but fake sites can carry malware that automatically loads onto the computers of unsuspecting visitors. Hackers often send out deceptive “spear-phishing” emails to trick people into visiting sites that appear to be authentic but in fact allow the attackers to penetrate and gain control of computers that log on, allowing the theft of emails, documents, contact lists and other information.
“This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights,” said Daniel Twining, IRI’s president, who put blame on Russian President Vladimir Putin. “It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime.”
The move by Microsoft is the latest effort by Silicon Valley to address Russian threats to the coming election more aggressively than the technology industry did in 2016, when many woke up to the seriousness and sophistication of disinformation efforts only after Americans had voted.
After discovering the sites recently, Microsoft said, it sought to obtain a court order to transfer the domain names to its own servers, a legal tactic that the company’s security division has used a dozen times since 2016 to disable 84 websites created by APT28, which also is sometimes called Strontium or Fancy Bear ...
The court order, executed last week, effectively allowed Microsoft to shut down the sites and to research them more fully.
The phony websites, which were registered with major web-hosting companies, were at my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com, according to Microsoft. Their discovery underscores the central role that American tech companies, which frequently have been criticized for hosting Russian disinformation on their platforms, can play in ferreting it out.
“The tech sector needs to play a role in protecting elections and protecting campaigns,” Rosenbach said. “The tech sector will have visibility on some of these things that the [National Security Agency] never could and never should.”
Microsoft also said Monday it was launching an initiative to provide enhanced cybersecurity protections free to candidates and campaign offices at the federal, state and local level that use its Office 365 software, as well as think tanks and political organizations the company believes are under attack.
The shift to attacking conservative think tanks underscores the Russian intelligence agency’s goals: to disrupt any institutions challenging Moscow and President Vladimir V. Putin of Russia.
“We are now seeing another uptick in attacks. What is particular in this instance is the broadening of the type of websites they are going after,” Microsoft’s president, Brad Smith, said Monday in an interview.
“These are organizations that are informally tied to Republicans,” he said, “so we see them broadening beyond the sites they have targeted in the past.”
The International Republican Institute’s board of directors includes several Republican leaders who have been highly critical of Mr. Trump’s interactions with Mr. Putin, including a summit meeting last month between the two leaders in Helsinki, Finland.
In 2016, a federal judge in Virginia agreed that the group Microsoft calls “Strontium” and others call “APT 28,” for “advanced persistent threat,” would continue its attacks. The judge appointed a “special master” with the power to authorize Microsoft to seize fake websites as soon as they are registered. As a result, the hackers have lost control of many of the sites only days after creating them.
But it is a constant cat-and-mouse game, as the Russian hackers seek new vectors of attack while Microsoft and others seek to cut them off.
Microsoft says it is expanding its effort to help political candidates counter foreign influence. It is starting an initiative it calls “AccountGuard” to bolster protections to candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations.
With the midterms less than three months away, Microsoft said greater cooperation was needed between tech companies and the federal government over efforts to interfere in the American elections.
“Over the last year, the larger tech companies, in particular, have put into place stronger information-sharing practices where we have seen these threats emerge,” Mr. Smith said. “Those agreements, however, are informal.”