Threat Intelligence

Russian Cyberspies Target 2018 U.S. Midterm Elections

Pierluigi Paganini
August 28, 2018 by
Pierluigi Paganini

APT28 Behind Cyberattacks

In July, Microsoft announced that Russia-linked threat actors attempted to hack at least three 2018 U.S. midterm election candidates. The company also added that it has helped the U.S. government to repeal their attacks.

The news was confirmed by a Microsoft executive speaking at the Aspen Security Forum, who revealed that the hacking attempts against at least three unnamed congressional candidates were all detected this year.

The hackers launched a spearphishing campaign aimed at the candidates. The messages included links to a fake Microsoft website used by the hackers to trick victims into providing their credentials.

Microsoft attributed the attacks to the Russia-linked APT28 group, the same threat actor that was involved in the attacks against the 2016 Presidential election.

The group known as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU.

The discovery made by Microsoft shows that APT28 continues to target the U.S. politicians. Microsoft executive Tom Burt compared the recent activities with the cyberattacks that interfered with the 2016 Presidential election; at the time, he also pointed out that unlike the 2016 campaign attacks, the 2018 attacks do not target think tanks and academic experts. This would change.

In July, Russian hackers also targeted Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.

As reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in cyberspace. McCaskill has repeatedly accused the Russian Government of "cyber warfare against our democracy," and she defined President Vladimir Putin as a "thug" and a "bully."

Russian cyberspies launched spear phishing attacks against the members of the staff aimed at stealing their credentials, the same tactic used against Hillary Clinton campaign manager John Podesta in 2016. The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.

The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.

McCaskill explained that the attempted hack of her staff failed.

A Month Later

In August, Facebook announced it was shutting down content and accounts "engaged in coordinated inauthentic behavior." Facebook did not attribute the attacks to Russia, but intelligence experts suspect that Russian APT groups were behind the operation.

According to Facebook, "some of the activity is consistent" with Tactics, Techniques and Procedures (TTPs) associated with the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.

Facebook revealed that some 290,000 users followed at least one of the blocked pages. According to Facebook, some of the fake pages were used to promote real-world events, two of which have taken place.

Just after Facebook's announcement, the U.S. government remarked it will not tolerate any interference from foreign states.

The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign. Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and Internet phone services to protect their anonymity.

Facebook announced it would start notifying users that were following the blocked accounts and users who said they would attend events created by one of the suspended accounts and pages. The tech giant also reported its findings to U.S. law enforcement agencies, Congress and other tech companies.

A month after Microsoft's announcement of cyberattacks against 2018 U.S. midterm election, the company spotted a new hacking campaign targeting the midterms.

"It's clear that democracies around the world are under attack," stated Microsoft. "Foreign entities are launching cyber strikes to disrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We saw this during the United States general election in 2016, last May during the French presidential election, and now in a broadening way as Americans are preparing for the November midterm elections."

Microsoft once again attributed the attacks to APT28. This time, hackers targeted members of United States Senate, conservative organizations and think tanks.

The Russian cyberspies created at least six fake websites related to the U.S. Senate and conservative organizations to infect the visitors' systems. Three fake domains were created to appear as legitimate websites belonging to the U.S. Senate, while another site was created to spoof Microsoft's online products.

The remaining websites were designed to mimic two U.S. conservative think tanks:

  • The Hudson Institute — A conservative Washington think tank.
  • The International Republican Institute (IRI) — A nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain

Microsoft did not provide further details on the attacks, but it is likely that the hackers set up the sites to steal login credentials from the visitors and use them in later attacks. Another possible attack scheme sees the websites hosting exploit kits that were used to deliver malware. The website spoofing the Microsoft product was likely bait to steal Microsoft login credentials used by the targeted organizations.

Microsoft's Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations. The company did not reveal if the fake websites allowed the hacker to compromise the visitors' machines or to steal their credentials.

It is not clear if Microsoft conducted a sinkhole investigation to determine if the domain was also used as a command-and-control servers for malicious codes used by the attackers.

Microsoft has shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities. Experts believe that foreign states, especially Russia, will continue to attempt hacking into U.S. politics; for this reason, Microsoft will continue to monitor any activity targeting U.S. political groups and politicians.

The company discovered the attacks as part of the Microsoft's Defending Democracy Program, which launched in April and is focused on four priorities:

  1. Protecting campaigns from hacking
  2. Protecting voting and the electoral process
  3. Increasing political advertising transparency
  4. Defending against disinformation campaigns

Microsoft announced also its AccountGuard initiative, which provides the following services to organizational and personal email accounts:

  1. Threat notification across accounts
  2. Security guidance and ongoing education
  3. Early adopter opportunities

State and private tech firms like Microsoft are warning that democracies around the world are under attack. Nation-state hackers continues to launch cyberattacks aimed at the disruption of election processes and the sowing of discord.

The interference with the United States Presidential election in 2016, and the alleged attacks against the French presidential election in May demonstrates the potential effects of hacking campaigns on electoral processes. Americans must be prepared for the November midterm elections.


Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates, Security Affairs

Facebook reported and blocked attempts to influence campaigns ahead of midterms US elections, Security Affairs

We are taking new steps against broadening threats to democracy, Microsoft Blog

Russian APT28 espionage group targets democratic Senator Claire McCaskill, Security Affairs

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Russian Hackers' New Target: a Vulnerable Democratic Senator, The Daily Beast

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.