Microsoft rebuffs Fancy Bear attempts to target US conservative election candidates

News by Teri Robinson

Microsoft has shutdown six websites created by the Russian Fancy Bear cyber-crime gang targeting members of the US Senate and conservative think tanks and potentially intended to launch cyber-attacks.

As the US midterm elections approach and fears of outside influence increase, Microsoft said Tuesday it had shutdown six websites created by the Russian Fancy Bear cyber-crime gang targeting members of the US Senate and conservative think tanks and potentially intended to launch cyber-attacks.

It appeared to be particularly targeting Republican critics of president Trump - the very people that would need to vote in favour of impeachment to reach the two thirds legislative majority that would be needed to remove the president if that situation arose.

The tech giant petitioned a judge in the US Eastern District of Virginia to take control of the sites, some of which used misleading domains such as "," and ""

Microsoft confirmed the domains, which also included those meant to look like they were generated by the conservative think tank Hudson Institute and could have been used for spearphishing, were linked to "the Russian government and known as Strontium, or alternatively Fancy Bear or APT28."

In a Monday evening blog post, Microsoft president Brad Smith said, "Attackers want their attacks to look as realistic as possible and they, therefore, create websites and URLs that look like sites their targeted victims would expect to receive email from or visit."

Several recent incidents demonstrate that Russian military intelligence (GRU), some members of which were indicted by special counsel Robert Mueller for meddling in the 2016 presidential campaign, continue to interfere in and undercut US democratic processes.

It is not the first time that Microsoft has sounded the alarm about Russian interference. At the Aspen Security Summit in July on the same day that GOP members of the House voted not to renew additional funding for election security, the company recounted its efforts to help the US government fend off attempts by Russia to hack into the campaigns of three congressional candidates earlier this year.

Keying on candidates "who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint," Microsoft vice president for customer security Tom Burt said the hackers volleyed phishing attacks at campaign staffers, hoping to lure them to a fake Microsoft domain and nick their credentials.

"Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks," Burt told attendees at the Aspen Security Forum, who said the metadata "suggested" the attacks were aimed at three midterm election hopefuls.

"We are in a situation of asynchronous warfare. Foreign powers are using the cyber-theatre to undermine confidence in political and economic models," said Andy Norton, director of threat intelligence at Lastline. "Security that is proportionate to the level of risk is called for by best practice, however, we perpetually underestimate the risk and the impact a cyber-intrusion has, not only on the victim, but in the broader level of confidence in systems in general."

Responses should reflect a recognition of asynchronous warfare strategies and security preparedness is a must, he maintained.

"An ‘abundance of caution' should be the cultural foundation for all cyber-security operations going forward to be built upon," Norton said. "The methods of attack are known to us, yet we fail to deploy the correct technology, processes and people to counter-intrusion attempts."

To better combat cyber-threats to political entities, Microsoft is expanding its Defending Democracy Program to include an AccountGuard protection service for political campaigns and entities using Microsoft Office 365.

In an email to SC Media UK, Sam Curry, chief security officer at Cybereason, commented: "It shouldn't come as a big surprise to anyone that Russians or other nation-states are probing for sensitive information from conservative, liberal, libertarian leaning organisations. You get the point that if there is valuable information to be gleaned expect groups to be interested in it.

"Security organisations need to think about what they want to protect, how they will monitor distribution and privilege with controls like strong authentication. Simply put, doing the basic hygiene and controls isn't enough today. Everyone should be on strong authentication and monitoring and the "check marks" should be in place; but the most important 'check mark' is a true cyber-function with forward-leaning, human intelligence monitoring behavioural telemetry. The attackers are human, and in many instances sophisticated. Organisations need teams of people in place to thwart adversarial attempts with the right tools, like EDR tools, that will help the Humans in defence win the cyber conflict. Hygiene alone is not enough."


Priscilla Moriuchi, director of strategic threat development at Recorded Future adds:

"It is a mistake to believe that the Russian government is a partisan political actor; it is not. Vladimir Putin uses cyber-operations to promote those who support his political agenda and undermine those who do not. This includes people and organisations on both sides of the political aisle.

"There is no reason why Russia would not continue to employ a technique that so successfully furthered American domestic divisions and Putin's own political goals. There is no doubt these types of attacks will continue through the mid-term and 2020 elections so far as the political gain has vastly outweighed the costs. Unless Russia is confronted with real world economic and political consequences, these attacks against American democratic institutions will persist."

Tim Erlin, VP at Tripwire observed: Setting up fake domains that mimic conservative websites isn’t so much an attack on those organisations as an attack on the people who might visit those websites. It’s an important distinction, because the targets are different.

If there’s a campaign to collect valid credentials from users, it’s worth asking what the next step might be. Those credentials are only of value if they’re used or sold."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews