Microsoft alleges new Russia hack targeting US political groups

Firm says group known as APT 28 targeting Republican-leaning bodies before midterms

The Microsoft office in Cambridge, Massachusetts: A US court has given Microsoft permission to seize control of the six website domains as part of an ongoing case. Photograph:  Brian Snyder/Reuters

The Microsoft office in Cambridge, Massachusetts: A US court has given Microsoft permission to seize control of the six website domains as part of an ongoing case. Photograph: Brian Snyder/Reuters


Microsoft has uncovered six internet domains used by Kremlin-linked hackers that targeted Republican-leaning US political groups, in a sign Russian efforts to influence American politics are expanding ahead of midterm elections in November.

The company said a group known as APT 28, also dubbed Fancy Bear or Strontium and linked to Russian military intelligence, created fake websites that mimicked web addresses of the US Senate and to two conservative non-profits, the International Republican Institute and the Hudson Institute.

Although the IRI, which promotes democracy overseas, and the Hudson Institute, a Washington-based think tank, have ties to Republicans, both have been critical of Russian president Vladimir Putin, a sign APT 28 is targeting any Kremlin detractors. Many previously documented Russian efforts have been focused at Democrats.

A US court has given Microsoft permission to seize control of the six website domains as part of an ongoing case.

The disclosure came less than a month after Facebook announced it was working with the FBI after uncovering efforts to use fake accounts to spread political disinformation ahead of the midterms, a campaign that has also been linked to the Kremlin.

The latest disclosures complicate efforts by President Donald Trump to discredit findings by US intelligence that Mr Putin worked to influence the 2016 presidential election.

Although Mr Trump himself has repeatedly questioned the assessment, his own spy chiefs this month took the rare step of issuing a warning against “a pervasive messaging campaign by Russia to try to weaken and divide the United States”.

Brad Smith, Microsoft president and chief legal officer, said attacks against democracy were broadening and warned of more attempts to undermine candidates and campaigns ahead of the November vote.

“Foreign entities are launching cyber strikes to disrupt elections and sow discord,” he wrote in a blog. “Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems.”

Microsoft said it had no evidence that the sites it uncovered had been successful in launching attacks before the company identified and disabled them.

Phishing attacks

It said hackers appeared to be attempting to trick political campaign staff and government employees with so-called phishing attacks. Once the links created by hackers were clicked on, login credentials or other sensitive information could have been stolen. Similar methods were used to harvest emails from Democratic party operatives during the 2016 presidential campaign.

“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive an email from or visit,” Mr Smith wrote.

Microsoft has taken down 84 fake websites associated with Fancy Bear over the past two years. Last month, Tom Burt, Microsoft’s vice-president of customer security and trust, said the company had detected Russian phishing attacks on three US congressional candidates, whom he did not name.

The US national security establishment has repeatedly warned about attempts to undermine election security ahead of the midterms. Dan Coats, Mr Trump’s director of national intelligence, said in July that “warning lights are blinking red” just as they did ahead of the September 11th attacks.

Kirstjen Nielsen, the homeland security secretary, said last month there was “little doubt” that adversaries continued to view elections as a target for malicious cyber and influence operations – but she added that the scale of Russian activities had not reached the level of 2016 this year.


Last week, the department of homeland security hosted a three-day exercise to help election officials improve their cyber-incident planning. The previous week, hackers at the annual Def Con cyber security conference tried to show how vulnerable voting machines were to attack.

Microsoft is expanding its support for election security with an initiative designed to protect the accounts of candidates and campaigns at the federal, state and local levels. The free service will detect potential attacks, offer quick remediation and try to educate political organisations about the threats.

Other technology companies including Google and cyber security companies Cloudflare, Synack and Akamai are all offering free services to campaigns and/or election officials.

Mr Smith encouraged all Americans to help secure elections. “Democracy requires vigilance and at times action by citizens to protect and maintain it,” he said. – Copyright The Financial Times Limited 2018