Just months before the US presidential election, hackers from Russia, China & Iran are increasing phishing & malware attacks against campaign staffers.
The US election campaigns of both Donald Trump & Joe Biden have been targeted in a deluge of recent cyber-attacks, Microsoft said recently.
With the US presidential election under 2 months away, in recent weeks cyber-attacks targeting people & organisations involved in it have increased, including many attempts against Trump & Biden staffers, Microsoft commented. They associated the unsuccessful attacks with threat groups linked to Russia, China & Iran.
“What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers, but also those they consult on key issues,” observed Tom Burt, Corporate VP of Customer Security & trust with Microsoft, in a post.
“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated & is consistent with what the US government & others have reported.”
One threat group, which Microsoft calls Zirconium, was seen launching 1,000s of attacks between March & September, resulting in nearly 150 compromises. Microsoft observed that the group is operating from China.
Those that have been targeted by Zirconium include high-profile people associated with the election, such as staffers on the “Joe Biden for President” Campaign & prominent leaders in the international affairs community.
The threat players, for example, targeted “non-campaign email accounts linked to people affiliated with the campaign,” outlined Microsoft. “The group has also targeted at least 1 prominent individual formerly associated with the Trump Administration.”
Zirconium’s TTPs include using web “beacons” that are linked to an attacker-controlled domain. The group then sends the URL of the domain to targets via email text or attachment & persuades them to click the link via social engineering.
“Although the domain itself may not have malicious content, this allows Zirconium to check if a user attempted to access the site,” observed Microsoft. “For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
In addition, Zirconium has also been targeting “prominent individuals in the international affairs community, academics in international affairs from more than 15 universities,” says Microsoft.
Also, the personal email accounts of staffers associated with the “Donald J. Trump for President” campaign are also being targeted, this time by another threat group called ‘Phosphorus’, which Microsoft said is operating from Iran. The group, also known as ‘APT 35’, ‘Charming Kitten’ & ‘Ajax Security Team’ was 1st discovered targeting campaign staffers of both Trump & Biden by Google’s Threat Analysis Group in June, with phishing attacks.
The Iran-linked hacking group has been known to use phishing as an attack method, & in February was found targeting public figures in phishing attacks that stole victims’ email-account information. Earlier this year, Microsoft also took control of 99 websites utilised by the threat group in attacks. In 2019, Phosphorus was also discovered attempting to break into accounts associated with the 2020 re-election campaign of President Trump.
Most recently, it was seen using WhatsApp & LinkedIn messages to impersonate journalists.
Another threat group seen behind recent phishing attacks targeting officials related to the US elections is called ‘Strontium’ (also known as ‘Fancy Bear’, ‘APT28’, & ‘Sofacy’), operating from Russia, said Microsoft. Microsoft said with “high confidence” that the group has attacked over 200 organisations including political campaigns, advocacy groups, parties & political consultants.
These include think-tanks such as ‘The German Marshall Fund of the US’, ‘The European People’s Party’, & various US-based consultants serving Republicans & Democrats.
Microsoft commented that it believes the group responsible for election-meddling in 2016, & the attack on the Democratic National Committee is compromising targets’ email accounts, in order to gather intelligence & disrupt operations. Strontium has also changed its techniques since the previous 2016 election, where it used spear-phishing to capture people’s credentials.
Now, the group has been seen launching ‘brute-force’ attacks & password-spraying tactics, which Microsoft said has likely let them automate aspects of their operations.
“Strontium also disguised these credential-harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service,” according to Microsoft.
“Strontium even evolved its infrastructure over time, adding & removing about 20 IPs per day to further mask its activity.”
With the 2020 US Presidential Election immanent, cyber-security concerns are under scrutiny, including worries about the integrity of voting machines, the expected expansion of mail-in voting due to COVID-19 & disinformation campaigns. Previous direct hacking efforts, including in 2016, are making many worried about security risks facing the election this time around.
“We disclose attacks like these because we believe it’s important the world knows about threats to democratic processes,” explained Microsoft. “It is critical that everyone involved in democratic processes around the world, both directly and indirectly, be aware of these threats & take steps to protect themselves in both their personal & professional capacities.”
The recent cyber-attack attempts targeting various political entities should not be a surprise, Neal Dennis, Threat Intelligence Specialist at Cyware explained.
“Politicians & their support staff, along with contracted service providers, should anticipate they will at some point be a target of an advanced persistent threat, not if but when,” Dennis commented.
“A robust & purposefully paranoid mindset around what comes to their inboxes, phones, & other communication platforms, along with strong industry best practices for password management would serve them well, though not mitigate 100% of their risk.”