Threat Management, Threat Management, Threat Intelligence

Microsoft rebuffed Fancy Bear attempts to target candidates, conservative think tanks

As the midterm elections approach and fears of outside influence increase, Microsoft said Tuesday it had shutdown six websites created by the Russian Fancy Bear cybercrime gang targeting members of the U.S. Senate and conservative think tanks and potentially intended to launch cyberattacks.

The tech giant petitioned a judge in the Eastern District of Virginia to take control of the sites, some of which used misleading domains such as “senate.group," and "adfs-senate.email."

Microsoft confirmed the domains, which also included those meant to look like they were generated by the conservative think tank Hudson Institute and could have been used for spearphishing, were linked to "the Russian government and known as Strontium, or alternatively Fancy Bear or APT28."

In a Monday evening blog post, Microsoft President Brad Smith said, "Attackers want their attacks to look as realistic as possible and they, therefore, create websites and URLs that look like sites their targeted victims would expect to receive email from or visit.”

A number of recent incidents demonstrate that Russian military intelligence, some members of which were indicted by Special Counsel Robert Mueller for meddling in the 2016 presidential campaign, continue to interfere in and undercut U.S. democratic processes.

It is not the first time that Microsoft has sounded the alarm about Russian interference. At the Aspen Security Summit in July on the same day that GOP members of the House voted not to renew additional funding for election security, the company recounted its efforts to help the U.S. government fend off attempts by Russia to hack into the campaigns of three congressional candidates earlier this year.

Keying on candidates “who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint,” Microsoft Vice President for Customer Security Tom Burt said the hackers volleyed phishing attacks at campaign staffers, hoping to lure them to a fake Microsoft domain and nick their credentials.

"Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks," Burt told attendees at the Aspen Security Forum, who said the metadata “suggested” the attacks were aimed at three midterm election hopefuls.

“We are in a situation of asynchronous warfare. Foreign powers are using the cyber theater to undermine confidence in political and economic models,” said Andy Norton, director of threat intelligence at Lastline. “Security that is proportionate to the level of risk is called for by best practice, however, we perpetually underestimate the risk and the impact a cyber intrusion has, not only on the victim, but in the broader level of confidence in systems in general.”

Responses should reflect a recognition of asynchronous warfare strategies and security preparedness is a must, he maintained.

“An ‘abundance of caution' should be the cultural foundation for all cybersecurity operations going forward to be built upon,” Norton said. “The methods of attack are known to us, yet we fail to deploy the correct technology, processes and people to counter-intrusion attempts.”

To better combat cyber threats to political entities, Microsoft is expanding its Defending Democracy Program to include an AccountGuard protection service for political campaigns and entities using Microsoft Office 365.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.