Thursday’s disclosure sheds new light on efforts by Chinese and Iranian hackers to break into US political campaigns and suggests that Russian hacking efforts have continued apace.
Top US cybersecurity officials acknowledged that Microsoft detected attempts to compromise email accounts of people and organizations associated with the presidential race but said there is no evidence election systems were affected.
“It is important to highlight that none are involved in maintaining or operating voting infrastructure and there was no identified impact on election systems,” Chris Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said in a statement to CNN Thursday.
Microsoft said the same Russian hacking group that was identified by US prosecutors as being primarily responsible for the attacks on the Democratic presidential campaign in 2016 had recently targeted national and state parties in the US and consultants who work for Republicans and Democrats. Microsoft said the Russians’ tactics had evolved since 2016 and include likely automated “brute force” attacks.
The report said the Russian group had targeted more than 200 organizations, many, Microsoft said, “are directly or indirectly affiliated with the upcoming U.S. election as well as political and policy-related organizations in Europe.”
Microsoft did not specify the number of organizations targeted by Chinese and Iranian groups.
Chinese hackers targeted Vice President Joe Biden’s campaign and at least one person formerly associated with President Donald Trump’s administration.
And between May and June of this year, Microsoft said, Iranian hackers tried to log into the accounts of Trump administration officials and Trump campaign staff.
“What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those who they consult on key issues,” Microsoft said.
It said it had alerted those who were targeted by the hackers, and the US intelligence community was briefed on the findings, two sources familiar with the discussions told CNN.
“The private sector plays a crucial role in the whole-of-society effort to safeguard our elections and national security,” an ODNI official told CNN Thursday when asked about Microsoft’s announcement. “We welcome their assistance and will continue partnering with them to combat foreign efforts to target political candidates, campaigns and others involved in the US elections.”
In his statement Thursday, Krebs said Microsoft’s announcement “is consistent with earlier statements by the Intelligence Community on a range of malicious cyber activities targeting the 2020 campaign and reinforces that this is an all-of-nation effort to defend democracy.”
“We encourage anyone that experiences a cyber incident to report to CISA and the FBI,” he added.
Microsoft has teams that track sophisticated hacking groups and the report released Thursday provide the most in-depth insight yet into how hackers are targeting the 2020 election.
Intelligence officials have said they have uncovered evidence that Russia is currently interfering in the election to hurt Biden’s campaign. Separately, some evidence has already emerged about Moscow’s alleged efforts, including Facebook’s announcement last week that a troll group that was part of Russia’s attempt to interfere in the 2016 US presidential election is trying to target Americans again.
But while the intelligence community has assessed that China and Iran prefer Trump to lose in November, officials have offered no indication, to date, that either country is acting on that preference in the same way as Russia, according to public statements issued by the intelligence community and sources familiar with the underlying evidence.
That has not stopped Trump and his top national security officials from sounding the alarm about China ahead of the election while downplaying the threat of Russian interference.
It is important to note that what Microsoft disclosed on Thursday is not the totality of foreign efforts to target American political campaigns. Google revealed in June that it had detected other attempts from China and Iran.
“As President Trump’s re-election campaign, we are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff. We work closely with our partners, Microsoft and others, to mitigate these threats. We take cybersecurity very seriously and do not publicly comment on our efforts,” Trump campaign spokesperson Thea McDonald told CNN Thursday when asked about the announcement.
A Biden campaign official told CNN they were taking the report seriously.
“We are aware of reports from Microsoft that a foreign actor has made unsuccessful attempts to access the non-campaign email accounts of individuals affiliated with the campaign. We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them. Biden for President takes cybersecurity seriously, we will remain vigilant against these threats, and will ensure that the campaign’s assets are secured,” they said.
A spokesman for Iran’s foreign ministry pushed back on Microsoft’s claims in a statement to CNN later Thursday, saying the “report is basically inadmissible and absurd.”
“United States of America has interfered for decades in the elections of other countries including Iran … US is leading disinformation campaigns against other countries. Therefore US is not in a position to have such claim,” foreign ministry spokesman Saeed Khatibzadeh said.
“As we have reiterated over and over, for Tehran, it does not matter who is the president in (the) White House. What matters is that Washington to abide international law, regulations and norms and stop interfering in other countries and honor its commitments,” he added.
CNN has reached out to the governments of Russia and China for comment.
Microsoft detailed how each hacking group targeted people tied to the 2020 election:
The infamous Russian military intelligence hacking group “Fancy Bear” that attacked the Democrats in 2016 targeted consultants working with Republicans and Democrats, national and state party organizations in the US, and think tanks including The German Marshall Fund of America.
Sydney Simon, a German Marshall Fund spokesperson said there is no evidence the hacking attempts targeting them were successful.
“Many of Strontium’s targets in this campaign, which has affected more than 200 organizations in total, are directly or indirectly affiliated with the upcoming U.S. election as well as political and policy-related organizations in Europe,” the company said.
Microsoft, which refers to “Fancy Bear” by its other moniker “Strontium,” said the Russian hackers had evolved their tactics since the 2016 election “to include new reconnaissance tools and new techniques to obfuscate their operations.”
“In 2016, the group primarily relied on spear phishing to capture people’s credentials. In recent months it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations,” Microsoft said.
The Russian government has denied it attempted to interfere with the 2016 election.
In response to Microsoft’s findings, John Hultquist, a senior director at the cybersecurity firm FireEye, said in a memo to the company’s clients, “Multiple cyber espionage actors have targeted organizations associated with the upcoming election, but we remain most concerned by Russian military intelligence, who we believe poses the greatest threat to the democratic process.”
Hultquist noted how this particular Russian hacking group has been tied to devastating cyber-attacks and routinely violate international norms.
He said targeting of political organizations are a “common feature of cyber espionage. Parties and campaigns are good sources of intelligence on future policy and it’s likely Iranian and Chinese actors targeted US campaigns to quietly collect intelligence,” but added that this Russian group’s “unique history” of leaking hacked materials “raises the prospect of follow-on information operations or other devastating activity.”
Chinese hackers unsuccessfully targeted the Biden campaign through non-campaign email accounts belonging to people associated with the campaign, Microsoft said.
“The group has also targeted at least one prominent individual formerly associated with the Trump Administration,” the company said.
The hacking group also targeted academics, universities, and think tanks including the Atlantic Council, Microsoft said. In all, it said it had “detected thousands of attacks from Zirconium between March 2020 and September 2020 resulting in nearly 150 compromises.”
Outlining the activity of the hacking group “Phosphorous,” which Microsoft says is operating from Iran, the company said, “Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of Administration officials and Donald J. Trump for President campaign staff.”