Subscribe

Phishing campaign —

Microsoft shuts down phishing sites, accuses Russia of new election meddling

Phishing sites mimicked domains of Senate and conservative US think tanks.

-

Russian President Vladimir Putin speaking at a forum.
Enlarge / Russian President Vladimir Putin speaks during the Moscow Urban Forum 2018 on July 18, 2018 in Moscow, Russia.
Getty Images | Mikhail Svetlov

Russia has denied any knowledge of a spear phishing attempt that allegedly mimicked the domains of the US Senate and two US-based think tanks.

Russia's denial came after Microsoft said it detected and shut down the campaign.

"Last week, Microsoft's Digital Crimes Unit (DCU) successfully executed a court order to disrupt and transfer control of six Internet domains created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28," Microsoft Chief Legal Officer Brad Smith wrote in Microsoft's announcement Monday. "We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group."

The domains were apparently meant to mimic those of the International Republican Institute, the Hudson Institute, and US Senate systems. "Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit," Microsoft said.

Spear phishing attacks are designed to trick specific people into divulging login credentials or into clicking on malicious links.

Microsoft is "concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections," Smith wrote.

A Kremlin spokesperson denied any knowledge of the alleged spear-phishing campaign.

"We don't know which hackers they are talking about, we don't know what is meant about the impact on elections," Kremlin spokesperson Dmitry Peskov told CNN. "From the US, we hear that there was not any meddling in the elections. Whom exactly they are talking about, what is the proof, and on what grounds are they reaching such conclusions?"

Further Reading

Microsoft exec: We stopped Russia from hacking 3 congressional campaigns

"We don't understand, and there is no information, so we treat such allegations accordingly," Peskov also said.

An unnamed Russian diplomatic source who spoke to Russian news agency Interfax accused Microsoft of "playing political games," according to Reuters.

Microsoft previously said that earlier this year, it detected and shut down a fake Microsoft domain that was set up by Russian actors as a landing page for phishing attacks against political candidates.

“Pattern mirrors... 2016 election”

The apparent spear phishing attempt announced this week seems to be part of "continued activity targeting... elected officials, politicians, political groups, and think tanks across the political spectrum in the United States," Microsoft said. "Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."

The six domains that Microsoft took control of were my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email, and office365-onedrive.com.

Microsoft said it is still trying to determine "what Strontium intended to do with the domains." Microsoft continued:

Importantly, these domains show a broadening of entities targeted by Strontium's activities. One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the US Senate but are not specific to particular offices. To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.

International Republican Institute President Daniel Twining said Microsoft's findings are evidence of Russian meddling.

"This apparent spear phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights," Twining told The Washington Post. "It is clearly designed to sow confusion, conflict, and fear among those who criticize Mr. Putin's authoritarian regime."

Microsoft said it is working with the International Republican Institute, Hudson Institute, and other targeted organizations on countering threats to their systems. "We've also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators," Smith wrote.

Microsoft also said it is offering a new security service to political campaign organizations and to all candidates for federal, state, and local elected offices. The service, AccountGuard, is available at no extra charge to "candidates, campaigns, and related political institutions" that use Office 365, Microsoft said.

Jon Brodkin Jon has been a reporter for Ars Technica since 2011 and covers a wide array of telecom and tech policy topics. Jon graduated from Boston University with a degree in journalism and has been a full-time journalist for over 20 years.

Channel Ars Technica

Related Stories

    Today on Ars