Russian, Chinese, and Iranian hackers have all been conducting cyberattacks targeting people and organizations associated with the Trump and Biden campaigns and other organizations affiliated with the upcoming 2020 presidential election, according to a new report.
Microsoft named the three foreign Advanced Persistent Threat hacker groups in a Thursday blog post as Strontium, or APT28, from Russia, Zirconium from China, and Phosphorous from Iran, noting that “the activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated.” Microsoft, which said it directly notified those targeted, stressed that “what we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those they consult on key issues.”
Russian Strontium, named in special counsel Robert Mueller’s report as the Russian military intelligence group involved with hacking the Democratic National Committee’s email systems in 2016, “has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants … affiliated with the upcoming U.S. election as well as political and policy-related organizations in Europe” since September 2019, according to Microsoft’s Threat Intelligence Center. Targets include Republican and Democratic consultants, think tanks such as the German Marshall Fund, U.S. national and state party organizations, and political parties in Europe and the United Kingdom.
The Russian hackers are “launching campaigns to harvest people’s log-in credentials or compromise their accounts, presumably to aid in intelligence gathering or disruption operations,” Microsoft said, but while the 2016 Russian efforts revolved mainly around spear phishing, in recent months, the Russians have engaged in “brute force attacks and password spray” and have “disguised these credential harvesting attacks in new ways,” including “running them through more than 1,000 constantly rotating IP addresses.” A separate Microsoft report on Strontium said over the last year, it launched credential harvesting attacks “against tens of thousands of accounts.”
Chinese Zirconium “has attacked high-profile individuals associated with the election,” including “people associated with” the Biden campaign and “at least one prominent individual formerly associated with the Trump Administration,” Microsoft said, adding that it has “detected thousands of attacks from Zirconium between March 2020 and September 2020 resulting in nearly 150 compromises.” The Chinese hackers have also gone after “prominent leaders in the international affairs community,” including at 15 universities, along with accounts tied to 18 international affairs organizations such as the Atlantic Council and Stimson Center. The group uses “web bugs” or “web beacons” to conduct illicit reconnaissance.
Microsoft said Iranian Phosphorus “has continued to attack the personal accounts of people associated with” President Trump’s campaign, and has “unsuccessfully attempted to log into the accounts of administration officials” and Trump campaign staff between May and June. The Iranian hackers have also “operated espionage campaigns targeting a wide variety of organizations traditionally tied to geopolitical, economic, or human rights interests in the Middle East region,” and Microsoft has been empowered by a federal court to take control of 155 of the group’s domains “as part of our ongoing efforts to disrupt Phosphorus activity.”
Trump campaign deputy national press secretary Thea McDonald told the Washington Examiner: “As President Trump’s re-election campaign, we are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff. We work closely with our partners, Microsoft and others, to mitigate these threats. We take cybersecurity very seriously and do not publicly comment on our efforts.”
A Biden campaign official told CNN: “We are aware of reports from Microsoft that a foreign actor has made unsuccessful attempts to access the non-campaign email accounts of individuals affiliated with the campaign. We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them. Biden for President takes cybersecurity seriously, we will remain vigilant against these threats, and will ensure that the campaign’s assets are secured.”
“The private sector plays a crucial role in the whole-of-society effort to safeguard our elections and national security,” an official with the Office of the Director of National Intelligence told the Washington Examiner. “We welcome their assistance and will continue partnering with them to combat foreign efforts to target political candidates, campaigns and others involved in the U.S. elections.”
Bill Evanina, who leads the National Counterintelligence and Security Center, released an intelligence assessment in August warning that Russia is “using a range of measures to primarily denigrate” Joe Biden, including that “pro-Russia Ukrainian parliamentarian Andriy Derkach is spreading claims about corruption — including through publicizing leaked phone calls — to undermine” the former vice president’s candidacy. The same statement said China “prefers” Trump not win reelection and is “expanding its influence efforts ahead of November 2020” in order to “pressure political figures it views as opposed to China’s interests.” The counterintelligence official also said Iran “seeks to undermine” Trump’s presidency.
On Thursday, the Treasury Department announced sanctions against Derkach as well as three Russian nationals for supporting the Internet Research Agency, a Russian social media troll farm.
In response to the Microsoft revelations, threat intelligence firm FireEye told its customers, “We remain most concerned by Russian military intelligence, who we believe poses the greatest threat to the democratic process.” According to Wired, the group said that “it’s likely Iranian and Chinese actors targeted U.S. campaigns to quietly collect intelligence, but APT28’s unique history raises the prospect of follow-on information operations or other devastating activity.”
Trump administration officials have suggested that China poses the biggest threat to the 2020 presidential election, while Democrats have insisted Russia remains the greatest election challenge.
Mueller’s April 2019 report said Russians interfered in the 2016 election in a “sweeping and systematic fashion” but “did not establish” criminal collusion between any Russians and anyone in Trump’s orbit.
