Microsoft Says Russian Operation Targeted U.S. Conservative Groups As Midterms Loom

Microsoft's French headquarters, seen outside Paris last year.
Microsoft's French headquarters, seen outside Paris last year.
Raphael Satter/AP

Updated at 9:41 a.m. ET

A familiar cyberattack suspect linked with the Russian intelligence service has resurfaced in the months leading up to the U.S. midterm elections, according to Microsoft. The tech giant announced overnight that last week it executed a court order to disrupt six fraudulent websites set up by a hacker group known by many names — most often APT28, but also Fancy Bear or Strontium, among others.

The unit has been associated with the Russian spy agency GRU and blamed for a raft of high-profile hacks across the world in recent years — including the breaches of the Democratic National Committee's network during the 2016 presidential election.

In this case, Microsoft says the group established a half-dozen domains meant to be confused with two conservative groups, the U.S. Senate and even Microsoft's own suite of products. Two of those targets, the nonprofit International Republican Institute and the Hudson Institute research center have often criticized the Kremlin.

Microsoft says the two groups were targeted with my-iri.org and hudsonorg-my-sharepoint.com, and that three domains — senate.group, adfs-senate.services and adfs-senate.email — mimicked the Senate. Microsoft itself appears to have been the focus of office365-onedrive.com.

Microsoft notes that it has "no evidence" to indicate the domains were used in any successful attacks, or to conclusively determine their ultimate object.

Elizabeth Dwoskin of The Washington Post explains why the starkly similar domain names are significant — and why Microsoft has a vested interest in shutting them down.

"Remember, Microsoft is managing one of the largest corporate email programs in the world," she tells NPR's Morning Edition. "When you open up your email and you click on a link — you think it's an email from a trusted person, and then you're taken to a website that is loaded up with malware and it's going to take your credentials."

But paired with the other phony sites, "these domains show a broadening of entities targeted by Strontium's activities," the company explains — and adds that these attacks are neither the first nor likely to be the last to be launched by the hacking group. The company says that in just the past two years, it has shut down 84 such fake websites.

"Despite last week's steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States," Microsoft says. "Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."

That's a sentiment echoed by one of the most recent apparent targets, the IRI, which is chaired by sitting U.S. Sen. Dan Sullivan, R-Alaska.

"This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights," the group's president, Daniel Twining, tells The Washington Post. "It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin's authoritarian regime."

The Kremlin has denied the allegations, according to the Russian news agency Interfax. It cites an unnamed diplomatic source who reportedly dismissed the claims as Microsoft simply "playing political games": "The elections have not happened yet," the diplomat says, "but there are already allegations."

The U.S. intelligence community has concluded that Russian interference in the 2016 election was aimed at boosting Donald Trump's bid for the presidency. Just last month the Justice Department charged 12 Russian intelligence officers, members of the GRU, with leveling a massive cyberattack against Democratic Party targets during the 2016 campaign, including the hack of the DNC's network.

President Trump, for his part, has offered shifting accounts of how he views the Russian activity, at times downplaying these cyberattacks and the prospect of their recurrence, while at others pledging to "counteract it very strongly." Occasionally those shifts have come within a matter of hours.

Lawmakers and members of Trump's own administration, however, have offered more concrete assessments.

"We are not yet seeing the kind of electoral interference in specific states and voter databases that we experienced in 2016," Director of National Intelligence Dan Coats said last month. "However, we fully realize that we are just one click of the keyboard away from a similar situation repeating itself."

As for Microsoft, that means developing new initiatives and new partnerships to prevent the kinds of attacks seen in 2016 from resurfacing. The company used its blog post announcing last week's court-ordered maneuver to introduce a new program called AccountGuard, which it says will provide "cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack."

"In the face of this continuing activity, we must work on the assumption that these attacks will broaden further," Microsoft says. "An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector."

Copyright 2018 NPR. To see more, visit http://www.npr.org/.