Russian Cyberspies Target 2018 U.S. Midterm Elections
APT28 Behind Cyberattacks
In July, Microsoft announced that Russia-linked threat actors attempted to hack at least three 2018 U.S. midterm election candidates. The company also added that it has helped the U.S. government to repeal their attacks.
The news was confirmed by a Microsoft executive speaking at the Aspen Security Forum, who revealed that the hacking attempts against at least three unnamed congressional candidates were all detected this year.
The hackers launched a spearphishing campaign aimed at the candidates. The messages included links to a fake Microsoft website used by the hackers to trick victims into providing their credentials.
Microsoft attributed the attacks to the Russia-linked APT28 group, the same threat actor that was involved in the attacks against the 2016 Presidential election.
The group known as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU.
The discovery made by Microsoft shows that APT28 continues to target the U.S. politicians. Microsoft executive Tom Burt compared the recent activities with the cyberattacks that interfered with the 2016 Presidential election; at the time, he also pointed out that unlike the 2016 campaign attacks, the 2018 attacks do not target think tanks and academic experts. This would change.
In July, Russian hackers also targeted Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.
As reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in cyberspace. McCaskill has repeatedly accused the Russian Government of “cyber warfare against our democracy,” and she defined President Vladimir Putin as a “thug” and a “bully.”
Russian cyberspies launched spear phishing attacks against the members of the staff aimed at stealing their credentials, the same tactic used against Hillary Clinton campaign manager John Podesta in 2016. The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.
The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.
McCaskill explained that the attempted hack of her staff failed.
A Month Later
In August, Facebook announced it was shutting down content and accounts “engaged in coordinated inauthentic behavior.” Facebook did not attribute the attacks to Russia, but intelligence experts suspect that Russian APT groups were behind the operation.
According to Facebook, “some of the activity is consistent” with Tactics, Techniques and Procedures (TTPs) associated with the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.
Facebook revealed that some 290,000 users followed at least one of the blocked pages. According to Facebook, some of the fake pages were used to promote real-world events, two of which have taken place.
Just after Facebook’s announcement, the U.S. government remarked it will not tolerate any interference from foreign states.
The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign. Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and Internet phone services to protect their anonymity.
Facebook announced it would start notifying users that were following the blocked accounts and users who said they would attend events created by one of the suspended accounts and pages. The tech giant also reported its findings to U.S. law enforcement agencies, Congress and other tech companies.
A month after Microsoft’s announcement of cyberattacks against 2018 U.S. midterm election, the company spotted a new hacking campaign targeting the midterms.
“It’s clear that democracies around the world are under attack,” stated Microsoft. “Foreign entities are launching cyber strikes to disrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We saw this during the United States general election in 2016, last May during the French presidential election, and now in a broadening way as Americans are preparing for the November midterm elections.”
Microsoft once again attributed the attacks to APT28. This time, hackers targeted members of United States Senate, conservative organizations and think tanks.
The Russian cyberspies created at least six fake websites related to the U.S. Senate and conservative organizations to infect the visitors’ systems. Three fake domains were created to appear as legitimate websites belonging to the U.S. Senate, while another site was created to spoof Microsoft’s online products.
The remaining websites were designed to mimic two U.S. conservative think tanks:
- The Hudson Institute — A conservative Washington think tank.
- The International Republican Institute (IRI) — A nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain
Microsoft did not provide further details on the attacks, but it is likely that the hackers set up the sites to steal login credentials from the visitors and use them in later attacks. Another possible attack scheme sees the websites hosting exploit kits that were used to deliver malware. The website spoofing the Microsoft product was likely bait to steal Microsoft login credentials used by the targeted organizations.
Microsoft’s Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations. The company did not reveal if the fake websites allowed the hacker to compromise the visitors’ machines or to steal their credentials.
It is not clear if Microsoft conducted a sinkhole investigation to determine if the domain was also used as a command-and-control servers for malicious codes used by the attackers.
Microsoft has shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities. Experts believe that foreign states, especially Russia, will continue to attempt hacking into U.S. politics; for this reason, Microsoft will continue to monitor any activity targeting U.S. political groups and politicians.
The company discovered the attacks as part of the Microsoft’s Defending Democracy Program, which launched in April and is focused on four priorities:
- Protecting campaigns from hacking
- Protecting voting and the electoral process
- Increasing political advertising transparency
- Defending against disinformation campaigns
Microsoft announced also its AccountGuard initiative, which provides the following services to organizational and personal email accounts:
- Threat notification across accounts
- Security guidance and ongoing education
- Early adopter opportunities
State and private tech firms like Microsoft are warning that democracies around the world are under attack. Nation-state hackers continues to launch cyberattacks aimed at the disruption of election processes and the sowing of discord.
The interference with the United States Presidential election in 2016, and the alleged attacks against the French presidential election in May demonstrates the potential effects of hacking campaigns on electoral processes. Americans must be prepared for the November midterm elections.
Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates, Security Affairs
Facebook reported and blocked attempts to influence campaigns ahead of midterms US elections, Security Affairs
We are taking new steps against broadening threats to democracy, Microsoft Blog
Russian APT28 espionage group targets democratic Senator Claire McCaskill, Security Affairs
Russian Hackers’ New Target: a Vulnerable Democratic Senator, The Daily Beast