Microsoft shuts down Russian operation targeting political institutions


#1

A group affiliated with the Russian government created phony versions of six websites — including some related to public policy & to the U.S. Senate — with the apparent goal of hacking into the computers of people who were tricked into visiting, according to Microsoft, which said Monday night that it discovered and disabled the fake sites.

The effort by the notorious APT28 hacking group, which has been publicly linked to a Russian intelligence agency & actively interfered in the 2016 presidential election, underscores the aggressive role that Russian operatives are playing ahead of the midterm elections in the U.S. U.S. officials have repeatedly warned that the November vote is a major focus for interference efforts. MS said the sites were created over the past several months & that the company was able to catch them early, as they were being set up. It did not go into more specifics.

MS’s Digital Crimes Unit, which is responsible for the company’s response to email phishing schemes, took the lead role in finding & disabling the sites, & the company is launching an effort to provide expanded cybersecurity protection for campaigns & election agencies that use MS products.

Among those targeted were the Hudson Institute, a conservative Washington think tank active in investigations of corruption in Russia, & the International Republican Institute (IRI), a nonprofit group that promotes democracy worldwide. Three other fake sites were crafted to appear as though they were affiliated with the Senate, & one nonpolitical site spoofed MS’s own online products.

The Senate did not immediately respond to requests for comment late Monday.

MS said Monday that it had found no evidence that the fake sites it recently discovered were used in attacks, but fake sites can carry malware that automatically loads onto the computers of unsuspecting visitors. Hackers often send out deceptive “spear-phishing” emails to trick people into visiting sites that appear to be authentic but in fact allow the attackers to penetrate & gain control of computers that log on, allowing the theft of emails, documents, contact lists & other information.

“This apparent spear-phishing attempt against the IRI & other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy & human rights,” said Daniel Twining, IRI’s president, who blamed Russian President Putin. “It is clearly designed to sow confusion, conflict & fear among those who criticize Mr. Putin’s authoritarian regime.”
continued below


#2

Continued from above
The move by MS is the latest effort by Silicon Valley to address Russian threats to the coming election more aggressively than the technology industry did in 2016, when many woke up to the seriousness & sophistication of disinformation efforts only after Americans had voted. Companies & U.S. officials have vowed to work together more closely this year. Facebook recently disclosed that the company took down 32 fake accounts & pages that were tied to the Internet Research Agency, a Russian disinformation operation active before & after the 2016 election.

Asked about MS’s allegations Tuesday, Kremlin spokesman Dmitry Peskov said, “We don’t know what hackers they are talking about.”

Peskov told reporters, “We don’t understand what they mean & what the evidence is, what the conclusions are based on.”

After discovering the sites recently, MS said, it sought to obtain a court order to transfer the domain names to its own servers, a legal tactic that the company’s security division has used a dozen times since 2016 to disable 84 websites created by APT28, which also is sometimes called Strontium or Fancy Bear. APT28, a unit under the Russian military intelligence agency GRU, specializes in information warfare or hacking & disinformation operations. “APT” refers to “advanced persistent threat” in cybersecurity circles.

The cases have been brought under trademark infringement after a federal judge agreed that the group, which MS calls Strontium, poses an “advanced persistent threat” & would continue its attacks.

MS President Brad Smith said in an interview that the company had been tracking the Russian-government-backed group for two years but had decided to speak publicly about the company’s efforts for the first time because of a growing sense of urgency & an uptick in Russian activity ahead of the midterms.

“You can’t really bring people together in a democratic society unless we share information about what’s going on,” Smith told The WA Post. “When there are facts that are clear as day, for those of us who operate inside companies, increasingly we feel it’s an imperative for us to share this more broadly with the public.”

He said that the technology industry was seeking to become more transparent with the public. The company previously had announced that two political candidates had been subjected to spear-phishing attacks.

continued below


#3

Continued from above

Installing malicious software on phony websites is a popular method for hacking into computers & resembles the tactic used in the attack on John Podesta, the campaign chairman for HRC, who received a fake security-warning email that linked to a phony site created by Russians. His stolen emails were released publicly in the final weeks of the presidential election campaign & caused embarrassment for their blunt assessments of various matters. Cybersecurity researchers have blamed the hack of Podesta’s email on APT28.

Special counsel Robert Mueller in July indicted 12 Russian intelligence officers, accusing them of hacking the Democratic National Committee, also in 2016.

MS did not explicitly blame the Russian intelligence agency for the attack announced Monday but it did cite Russia’s government & named APT28 & its pseudonyms, Strontium and Fancy Bear.

The Hudson Institute said that it, like many Washington institutions, had been the subject of previous cyberattacks. David Tell, the group’s director of public affairs, said the Hudson Institute’s Kleptocracy Initiative, which frequently reports on corruption in Russia, may have made the conservative think tank a target. Tell also noted that Director of National Intelligence Daniel Coats, speaking at the Hudson Institute in July, called Russia “the most aggressive foreign” actor in seeking to divide Americans, which could have drawn the attention of APT28.

“This kind of stuff does happen. It’s happened to us before,” Tell said. “It doesn’t surprise me that bad actors in nondemocratic states would want to mess with us.”

The phony websites, which were registered with major web-hosting companies, were at my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com, according to MS. Their discovery underscores the central role that American tech companies, which frequently have been criticized for hosting Russian disinformation on their platforms, can play in ferreting it out.

Eric Rosenbach, former Pentagon chief of staff & now co-director of Harvard University’s Belfer Center for Science & International Affairs, applauded MS for quickly announcing its discoveries. He said companies sometimes can act in ways that governmental agencies cannot because of legal & ethical restrictions.

“The tech sector needs to play a role in protecting elections & protecting campaigns,” Rosenbach said. “The tech sector will have visibility on some of these things that the [National Security Agency] never could & never should.”

MS also said Monday it was launching an initiative to provide enhanced cybersecurity protections free to candidates & campaign offices at the federal, state & local levels that use its Office 365 software, as well as think tanks & political organizations that the company believes are under attack.


#4

Word of this was as I recall first released at the Aspen Security conference a couple of months ago. At the time Microsoft said they couldn’t share the details of what they found since they were still working with the FBI. They only mentioned that there were other domains setup in what appeared to have been a fishing attack.

There was a conversation about that here on the threads. A misunderstanding that I remember from that thread was that there was the belief that it would be sufficient for a network admin to make sure that a site’s own security was up to par to defend from such attacks. In the previous thread it didn’t appear to be understood that people that get access to a network through such attacks are not necessarily circumventing network security devices; they are tricking someone into handing them the information to use the official channels to get into them; with a user name, password, and even with authorization through a second factor.


#5

Phishing is just insidious. I get many political solicitations emailed to me in the form of campaign newsletters to which I never subscribed. I long ago stopped responding through links in email regardless of who supposedly sent the email. However, the campaign newsletters became a nuisance to delete so I decided to “unsubscribe.” I unsubscribed to several, but then one wanted me to enter my email to unsubscribe, and I realized that I was using links to unsubscribe to these sites that I did not trust in the first place. DUH! So now I’m flagging them and putting them in the junk folder. It will take some time but eventually our service provider will block them for a time before I will have to begin the process all over again.


#6

I’m no tech person, but I recall reading that any really good hacker can utilize whatever “prints” a known software leaves in his own hacking. I remember “Fancy Bear” specifically in this regard because most “Fancy Bear” hacks actually originate in the United States, and is thought to be widely utilized by a number of parties that are not Russian or in any way connected to Russia.

One may wish to ask oneself who one trusts least to have access to its political information and systems; Russia or Microsoft.


#7

Your question is so strange that I can’t answer it. However, my preference is to live in the U.S. and have Microsoft’s Digital Crimes Unit “responsible for the company’s response to email phishing schemes.”

Maybe you would prefer to live in a country where there is no Microsoft Digital Crimes Unit and in addition Russia has “access to its political information and systems?” I think that would be Russia.


#8

While probably worthy of it’s own thread this was related, so am appending it here.

DNC calls FBI after detecting attempt to hack its voter database

The Democratic National Committee contacted the FBI on Tuesday after it detected what it believes was the beginning of a sophisticated attempt to hack into its voter database, a Democratic source tells CNN.
The DNC was alerted in the early hours of Tuesday morning by a cloud service provider and a security research firm that a fake login page had been created in an attempt to gather usernames and passwords that would allow access to the party’s database, the source said.
The page was designed to look like the access page Democratic Party officials and campaigns across the country use to log into a service called Votebuilder, which hosts the database, the source said, adding the DNC believed it was designed to trick people into handing over their login details.
The source said the DNC is investigating who may have been responsible for the attempted attack, but that it has no reason to believe its voter file was accessed or altered.
The page was initially discovered late Monday by Lookout, a San Francisco-based cybersecurity firm. The company doesn’t work for the DNC but alerted the party to its findings, Mike Murray, the company’s vice president of security intelligence, told CNN on Wednesday.


#9

It’s not a matter of that. Russia can’t do a whole lot with my personal information, and I doubt it does. Microsoft can do a great deal with it and does.


#10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.


DISCLAIMER: The views and opinions expressed in these forums do not necessarily reflect those of Catholic Answers. For official apologetics resources please visit www.catholic.com.