The effort by the notorious APT28 hacking group, which has been publicly linked to a Russian intelligence agency and actively interfered in the 2016 presidential election, underscores the aggressive role that Russian operatives are playing ahead of the midterm elections in the United States. U.S. officials have repeatedly warned that the November vote is a major focus for interference efforts. Microsoft said the sites were created over the past several months and that the company was able to catch them early, as they were being set up. It did not go into more specifics.
Microsoft’s Digital Crimes Unit, which is responsible for the company’s response to email phishing schemes, took the lead role in finding and disabling the sites, and the company is launching an effort to provide expanded cybersecurity protection for campaigns and election agencies that use Microsoft products.
Among those targeted were the Hudson Institute, a conservative Washington think tank active in investigations of corruption in Russia, and the International Republican Institute (IRI), a nonprofit group that promotes democracy worldwide. Three other fake sites were crafted to appear as though they were affiliated with the Senate, and one nonpolitical site spoofed Microsoft’s own online products.
The Senate did not immediately respond to requests for comment late Monday.
Microsoft said Monday that it had found no evidence that the fake sites it recently discovered were used in attacks, but fake sites can carry malware that automatically loads onto the computers of unsuspecting visitors. Hackers often send out deceptive “spear-phishing” emails to trick people into visiting sites that appear to be authentic but in fact allow the attackers to penetrate and gain control of computers that log on, allowing the theft of emails, documents, contact lists and other information.
“This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights,” said Daniel Twining, IRI’s president, who blamed Russian President Vladimir Putin. “It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime.”
The move by Microsoft is the latest effort by Silicon Valley to address Russian threats to the coming election more aggressively than the technology industry did in 2016, when many woke up to the seriousness and sophistication of disinformation efforts only after Americans had voted. Companies and U.S. officials have vowed to work together more closely this year. Facebook recently disclosed that the company took down 32 fake accounts and pages that were tied to the Internet Research Agency, a Russian disinformation operation active before and after the 2016 election.
Asked about Microsoft’s allegations Tuesday, Kremlin spokesman Dmitry Peskov said, “We don’t know what hackers they are talking about.”
Peskov told reporters, “We don’t understand what they mean and what the evidence is, what the conclusions are based on.”
After discovering the sites recently, Microsoft said, it sought to obtain a court order to transfer the domain names to its own servers, a legal tactic that the company’s security division has used a dozen times since 2016 to disable 84 websites created by APT28, which also is sometimes called Strontium or Fancy Bear. APT28, a unit under the Russian military intelligence agency GRU, specializes in information warfare or hacking and disinformation operations. “APT” refers to “advanced persistent threat” in cybersecurity circles.
The court order, executed last week in a federal court in the Eastern District of Virginia, effectively allowed Microsoft to shut down the sites and to research them more fully. Microsoft has used the legal tactic to go after botnets, or malicious networks of automated accounts, since at least 2010.
The cases have been brought under trademark infringement after a federal judge agreed that the group, which Microsoft calls Strontium, poses an “advanced persistent threat” and would continue its attacks.
Microsoft President Brad Smith said in an interview that the company had been tracking the Russian-government-backed group for two years but had decided to speak publicly about the company’s efforts for the first time because of a growing sense of urgency and an uptick in Russian activity ahead of the midterms.
“You can’t really bring people together in a democratic society unless we share information about what’s going on,” Smith told The Washington Post. “When there are facts that are clear as day, for those of us who operate inside companies, increasingly we feel it’s an imperative for us to share this more broadly with the public.”
He said that the technology industry was seeking to become more transparent with the public. The company previously had announced that two political candidates had been subjected to spear-phishing attacks.
Installing malicious software on phony websites is a popular method for hacking into computers and resembles the tactic used in the attack on John Podesta, the campaign chairman for Hillary Clinton, who received a fake security-warning email that linked to a phony site created by Russians. His stolen emails were released publicly in the final weeks of the presidential election campaign and caused embarrassment for their blunt assessments of various matters. Cybersecurity researchers have blamed the hack of Podesta’s email on APT28.
Special counsel Robert S. Mueller III in July indicted 12 Russian intelligence officers, accusing them of hacking the Democratic National Committee, also in 2016.
Microsoft did not explicitly blame the Russian intelligence agency for the attack announced Monday but it did cite Russia’s government and named APT28 and its pseudonyms, Strontium and Fancy Bear.
The Hudson Institute said that it, like many Washington institutions, had been the subject of previous cyberattacks. David Tell, the group’s director of public affairs, said the Hudson Institute’s Kleptocracy Initiative, which frequently reports on corruption in Russia, may have made the conservative think tank a target. Tell also noted that Director of National Intelligence Daniel Coats, speaking at the Hudson Institute in July, called Russia “the most aggressive foreign” actor in seeking to divide Americans, which could have drawn the attention of APT28.
“This kind of stuff does happen. It’s happened to us before,” Tell said. “It doesn’t surprise me that bad actors in nondemocratic states would want to mess with us.”
The phony websites, which were registered with major web-hosting companies, were at my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com, according to Microsoft. Their discovery underscores the central role that American tech companies, which frequently have been criticized for hosting Russian disinformation on their platforms, can play in ferreting it out.
Eric Rosenbach, former Pentagon chief of staff and now co-director of Harvard University’s Belfer Center for Science and International Affairs, applauded Microsoft for quickly announcing its discoveries. He said companies sometimes can act in ways that governmental agencies cannot because of legal and ethical restrictions.
“The tech sector needs to play a role in protecting elections and protecting campaigns,” Rosenbach said. “The tech sector will have visibility on some of these things that the [National Security Agency] never could and never should.”
Microsoft also said Monday it was launching an initiative to provide enhanced cybersecurity protections free to candidates and campaign offices at the federal, state and local levels that use its Office 365 software, as well as think tanks and political organizations that the company believes are under attack.
“For many decades, people in democratic societies saw these as fundamentally tools that were more likely to bring information to people living in authoritarian countries, and we didn’t really worry about these kinds of technologies causing risks to a democratic society,” Smith said. “What we’re seeing now, with email and voting systems and social media, is [the technologies] creating an asymmetric risk for democratic societies.”
Correction: An earlier version of this article said that Microsoft had found five websites attempting to imitate sites of authentic groups. The correct number is six.
Timberg reported from Washington. Natalia Abbakumova in Moscow and Ellen Nakashima in Washington contributed to this report.