The U.S. election campaigns of both Donald Trump and Joe Biden have been targeted in a slew of recent cyberattacks, Microsoft said on Thursday.
With the U.S. presidential election a mere two months away, in recent weeks cyberattacks targeting people and organizations involved in it have ramped up — including numerous attempts against Trump and Biden staffers, Microsoft said. The tech giant has associated the unsuccessful attacks with threat groups linked to Russia, China and Iran.
“What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers, but also those they consult on key issues,” said Tom Burt, corporate vice president of customer security and trust with Microsoft, in a Thursday post. “The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported.”
One threat group, which Microsoft dubs Zirconium, was spotted launching thousands of attacks between March and September, resulting in nearly 150 compromises. Microsoft said the group is operating from China.
Among those that have been targeted by Zirconium include high-profile individuals associated with the election – such as staffers on the “Joe Biden for President” campaign -and prominent leaders in the international affairs community.
The threat actors, for instance, targeted “non-campaign email accounts belonging to people affiliated with the campaign,” according to Microsoft. “The group has also targeted at least one prominent individual formerly associated with the Trump Administration.”
Zirconium’s TTPs include using web “beacons” that are tied to an attacker-controlled domain. The group then sends the URL of the domain to targets via email text (or attachment) and persuades them to click the link via social engineering.
“Although the domain itself may not have malicious content, [this] allows Zirconium to check if a user attempted to access the site,” said Microsoft. “For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
Beyond politics, Zirconium has also been targeting “prominent individuals in the international affairs community, academics in international affairs from more than 15 universities,” according to Microsoft.
On the other side of the coin, the personal email accounts of staffers associated with the “Donald J. Trump for President” campaign are also being targeted, this time by another threat group called Phosphorus, which Microsoft said is operating from Iran. The group – also known as APT 35, Charming Kitten and Ajax Security Team –was first discovered targeting campaign staffers of both Trump and Biden by Google’s Threat Analysis Group in June, with phishing attacks.
The Iran-linked hacking group has been known to use phishing as an attack vector, and in February was discovered targeting public figures in phishing attacks that stole victims’ email-account information. Earlier this year, Microsoft also took control of 99 websites utilized by the threat group in attacks. Last year, Phosphorus was also discovered attempting to break into accounts associated with the 2020 reelection campaign of President Trump. And most recently, it was seen using WhatsApp and LinkedIn messages to impersonate journalists.
Another threat group seen behind recent phishing attacks targeting officials related to the U.S. elections is a group called Strontium (also known as Fancy Bear, APT28, and Sofacy), operating from Russia, said Microsoft. Microsoft assessed with “high confidence” that the group has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants. These include think-tanks such as The German Marshall Fund of the United States, The European People’s Party, and various U.S.-based consultants serving Republicans and Democrats.
Microsoft said that it believes the group — responsible for election-meddling in 2016 and the attack on the Democratic National Committee — is compromising targets’ email accounts in order to gather intelligence and disrupt operations. Strontium has also shaken up its techniques since the previous 2016 election, where it relied on spear-phishing to capture people’s credentials. Now, the group has been observed launching brute-force attacks and password-spraying tactics, which Microsoft said has likely allowed them to automate aspects of their operations.
“Strontium also disguised these credential-harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service,” according to Microsoft. “Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”
With the 2020 U.S. Presidential Election coming up, cybersecurity concerns are under the spotlight – including worries about the integrity of voting machines, the expected expansion of mail-in voting due to COVID-19 and disinformation campaigns. Previous direct hacking efforts, including in 2016, are making many wary about security risks facing the election this time around.
[Listen to Threatpost’s recent podcast discussion about U.S. Election security and disinformation campaigns]
“We disclose attacks like these because we believe it’s important the world knows about threats to democratic processes,” said Microsoft. “It is critical that everyone involved in democratic processes around the world, both directly or indirectly, be aware of these threats and take steps to protect themselves in both their personal and professional capacities.”
The recent slew of cyberattack attempts targeting various political entities should come as no surprise, Neal Dennis, threat intelligence specialist at Cyware, told Threatpost.
“Politicians and their support staff, along with contracted service providers, should anticipate they will at some point be a target of an advanced persistent threat, not if but when,” Dennis said. “A robust and purposefully paranoid mindset around what comes to their inboxes, phones, and other communication platforms – along with strong industry best practices for password management – would serve them well, though not mitigate 100 percent of their risk.”
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.