Microsoft found Russian phishing sites mimicking Republican groups
The International Republican Institute and Hudson Institute were among the targets.
Weeks after Microsoft revealed it detected Russian hackers targeting multiple 2018 campaigns (including Senator Claire McCaskill) the company is announcing it found and disabled six spoof domains created by "a group widely associated with the Russian government." That group is known as APT28, Fancy Bear or Strontium, and has been tagged as responsible for some of the hacking that occurred prior to the 2016 presidential election.
Microsoft president Brad Smith wrote in a blog post that its Digital Crimes Unit used a court order to take control of these domains: my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com. The IRI and Hudson URLs in particular could've been used to impersonate two conservative think tanks, although Microsoft said it has no evidence they've been used in successful attacks. Combined with other attempts Microsoft detected, Smith wrote: "Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."
By creating fake websites and sending spear phishing messages to their targets, the attackers could gain credentials used to access data in the same way that they exploited the account of Clinton campaign chairman John Podesta. Tech giants have warned the US government about their concerns over security leading up to elections in November, and now Microsoft said its Defending Democracy Program will expand to include AccountGuard.
That consists of three services (unified threat detection and notifications, security advice, and access to early adopter features that are usually limited to corporate accounts) it will provide for free to "all current candidates for federal, state and local office in the United States and their campaigns; the campaign organizations of all sitting members of Congress; national and state party committees; technology vendors who primarily serve campaigns and committees; and certain nonprofit organizations and nongovernmental organizations." One small (but obvious) catch: they'll have to use Office 365.
By comparison, Google rolled out Advanced Protection for individuals last year, along with ongoing security improvements in its G Suite setups for organizations and recently renewed a push for hardware security keys by selling some of its own "Titan" units. Facebook recently removed a number of fake pages targeting the 2018 election as well, confirming that attackers will try to influence the outcomes again, and we will need to see more from these combined efforts to keep that from happening.