Russian Cyberspies Target 2018 U.S. Midterm Elections
APT28 Behind Cyberattacks
In July, Microsoft announced that Russia-linked threat actors attempted to hack at least three 2018 U.S. midterm election candidates. The company also added that it has helped the U.S. government to repeal their attacks.
The news was confirmed by a Microsoft executive speaking at the Aspen Security Forum, who revealed that the hacking attempts against at least three unnamed congressional candidates were all detected this year.
The hackers launched a spearphishing campaign aimed at the candidates. The messages included links to a fake Microsoft website used by the hackers to trick victims into providing their credentials.
Microsoft attributed the attacks to the Russia-linked APT28 group, the same threat actor that was involved in the attacks against the 2016 Presidential election.
The group known as APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) has been active since at least 2007 and operates under the Russian military agency GRU.
The discovery made by Microsoft shows that APT28 continues to target the U.S. politicians. Microsoft executive Tom Burt compared the recent activities with the cyberattacks that interfered with the 2016 Presidential election; at the time, he also pointed out that unlike the 2016 campaign attacks, the 2018 attacks do not target think tanks and academic experts. This would change.
In July, Russian hackers also targeted Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.
As reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in cyberspace. McCaskill has repeatedly accused the Russian Government of "cyber warfare against our democracy," and she defined President Vladimir Putin as a "thug" and a "bully."
Russian cyberspies launched spear phishing attacks against the members of the staff aimed at stealing their credentials, the same tactic used against Hillary Clinton campaign manager John Podesta in 2016. The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.
The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.
McCaskill explained that the attempted hack of her staff failed.
A Month Later
In August, Facebook announced it was shutting down content and accounts "engaged in coordinated inauthentic behavior." Facebook did not attribute the attacks to Russia, but intelligence experts suspect that Russian APT groups were behind the operation.
According to Facebook, "some of the activity is consistent" with Tactics, Techniques and Procedures (TTPs) associated with the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.
Facebook revealed that some 290,000 users followed at least one of the blocked pages. According to Facebook, some of the fake pages were used to promote real-world events, two of which have taken place.
Just after Facebook's announcement, the U.S. government remarked it will not tolerate any interference from foreign states.
The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign. Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and Internet phone services to protect their anonymity.
Facebook announced it would start notifying users that were following the blocked accounts and users who said they would attend events created by one of the suspended accounts and pages. The tech giant also reported its findings to U.S. law enforcement agencies, Congress and other tech companies.
A month after Microsoft's announcement of cyberattacks against 2018 U.S. midterm election, the company spotted a new hacking campaign targeting the midterms.
"It's clear that democracies around the world are under attack," stated Microsoft. "Foreign entities are launching cyber strikes to disrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal and leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We saw this during the United States general election in 2016, last May during the French presidential election, and now in a broadening way as Americans are preparing for the November midterm elections."
Microsoft once again attributed the attacks to APT28. This time, hackers targeted members of United States Senate, conservative organizations and think tanks.
The Russian cyberspies created at least six fake websites related to the U.S. Senate and conservative organizations to infect the visitors' systems. Three fake domains were created to appear as legitimate websites belonging to the U.S. Senate, while another site was created to spoof Microsoft's online products.
The remaining websites were designed to mimic two U.S. conservative think tanks:
- The Hudson Institute — A conservative Washington think tank.
- The International Republican Institute (IRI) — A nonprofit group that promotes democracy worldwide and whose board includes prominent Republican figures like Sen. John McCain
Microsoft did not provide further details on the attacks, but it is likely that the hackers set up the sites to steal login credentials from the visitors and use them in later attacks. Another possible attack scheme sees the websites hosting exploit kits that were used to deliver malware. The website spoofing the Microsoft product was likely bait to steal Microsoft login credentials used by the targeted organizations.
Microsoft's Digital Crimes Unit shut down the fake websites with a court approval received last year and notified targeted organizations. The company did not reveal if the fake websites allowed the hacker to compromise the visitors' machines or to steal their credentials.
It is not clear if Microsoft conducted a sinkhole investigation to determine if the domain was also used as a command-and-control servers for malicious codes used by the attackers.
Microsoft has shut down dozens of other fake websites since 2016 after it has obtained the authorization from the authorities. Experts believe that foreign states, especially Russia, will continue to attempt hacking into U.S. politics; for this reason, Microsoft will continue to monitor any activity targeting U.S. political groups and politicians.
The company discovered the attacks as part of the Microsoft's Defending Democracy Program, which launched in April and is focused on four priorities:
- Protecting campaigns from hacking
- Protecting voting and the electoral process
- Increasing political advertising transparency
- Defending against disinformation campaigns
Microsoft announced also its AccountGuard initiative, which provides the following services to organizational and personal email accounts:
- Threat notification across accounts
- Security guidance and ongoing education
- Early adopter opportunities
State and private tech firms like Microsoft are warning that democracies around the world are under attack. Nation-state hackers continues to launch cyberattacks aimed at the disruption of election processes and the sowing of discord.
The interference with the United States Presidential election in 2016, and the alleged attacks against the French presidential election in May demonstrates the potential effects of hacking campaigns on electoral processes. Americans must be prepared for the November midterm elections.
Sources
Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates, Security Affairs
Facebook reported and blocked attempts to influence campaigns ahead of midterms US elections, Security Affairs
We are taking new steps against broadening threats to democracy, Microsoft Blog
Russian APT28 espionage group targets democratic Senator Claire McCaskill, Security Affairs
Russian Hackers' New Target: a Vulnerable Democratic Senator, The Daily Beast
In this Series
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
- Past and Present Iran-linked Cyber-Espionage Operations
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage