The Washington PostDemocracy Dies in Darkness

Russian hackers who disrupted 2016 election targeting political parties again, Microsoft says

Russian military spies who hacked and leaked Democratic emails to inject chaos into the 2016 presidential election are active again, targeting political parties, advocacy groups and consultants, Microsoft announced Thursday.

China and Iran are also attempting to penetrate the Microsoft email accounts of people affiliated with the political campaigns, though the efforts against the campaigns of President Trump by Iran and Democratic nominee Joe Biden by China were not successful, the company said.

The Republican National Committee also was unsuccessfully targeted by Iran, said a person familiar with the matter.

Trump campaign deputy national press secretary Thea McDonald said, “We are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff.”

The news is consistent with recent statements by the Office of the Director of National Intelligence about the three countries being active in the lead-up to the Nov. 3 election.

Russia is trying to undermine Biden and the Democrats, while China prefers a Biden win, intelligence officials say

However, according to current and former intelligence officials and industry analysts, Russia is the adversary with the intent and capability to cause the most significant potential disruption to the election — a possibility that Trump, whom Russia sought to help in 2016, has consistently downplayed.

“We think Russian military intelligence poses the greatest foreign threat to the elections,” said John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye. “It’s concerning to find them targeting organizations associated with campaigns again.”

In its blog post, Microsoft says the Russian hackers, which it calls Strontium but are better known as Fancy Bear or APT28, have targeted more than 200 organizations, including political campaigns and consultants, since September 2019. It took time for the firm to tie the activity to Russia because the hackers had gotten savvier, running their operations through more than 1,000 Internet Protocol addresses to hide their tracks.

The targets include advocacy organizations and think tanks such as the German Marshall Fund of the United States and national and state party organizations, as well as British political parties. Fancy Bear is a group affiliated with Russian military intelligence, the GRU.

The Russian hackers tried to compromise the email accounts of the staff at the consulting firm SKDKnickerbocker, which works with Biden and other prominent Democrats, but were not successful, according to Reuters.

Campaigns, state and local election offices and parties are more aware of the threat and have boosted their defenses since 2016, officials said. Coordination with federal cybersecurity agencies has also increased.

None of the Microsoft-detected attempts involved voting or election systems, said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.

When it comes to such systems, “we’re not seeing a lot of targeted activity that we can tie back to a state-based actor, or even criminal actors,” Krebs said at the Billington CyberSecurity Summit this week. Through intelligence channels, “we’re not seeing any planning that they’re targeting election infrastructure. It gives me a little bit of confidence.”

What Microsoft could not divine is the respective goals of the Russians, Chinese and Iranians. It could be that they were doing what nation-states such as Russia and China have traditionally done: hack for political espionage purposes.

Moscow and Beijing have long sought to compromise the networks of presidential campaigns to glean insights into the plans and policies of the potential next president. China hacked the campaigns of Barack Obama and John McCain in 2008. In 2012, foreign and domestic hackers tried to gain access to the campaign networks of Obama and Mitt Romney.

Or the Russian spies might have been laying the groundwork for a disruptive attack, similar to their hacks and leaks of Democratic emails four years ago that influenced media coverage and the subsequent political narrative in a way that hurt Trump’s Democratic rival, Hillary Clinton.

The attempts Microsoft described in its announcement are akin to “thieves snooping around to see if the car doors are open,” said another cyberthreat analyst, who was not authorized by his firm to speak on the record. Microsoft is unable to detect attempts on the personal email accounts of people using Gmail or other non-Microsoft services.

Microsoft in October disclosed unsuccessful attempts by Iran to breach email accounts belonging to a U.S. presidential campaign. The target was the Trump campaign, it was reported at the time.

Google in June announced that Chinese and Iranian government hackers targeted the Gmail accounts of staffers working on the Biden and Trump campaigns, respectively, with no signs of compromise.

In the case of the Biden campaign, Microsoft said, Chinese hackers targeted non-campaign email accounts of staffers. They also went after one prominent former Trump administration official, the company said.

Jay Greene, Matt Viser and Isaac Stanley-Becker contributed to this report.