Russia, China and Iran ramping up attacks ahead of election, Microsoft warns

Washington — Groups backed by Russia, China and Iran have in recent weeks launched cyberattacks targeting the Trump and Biden campaigns, as well as people and organizations involved in the 2020 race, as part of efforts to interfere in the upcoming election, Microsoft warned Thursday.

Tom Burt, the company’s corporate vice president of customer security and trust, said in a blog post that the malign activity “makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as has been anticipated.” Most of the attacks were detected by the tech company and stopped.

The revelation comes after the Treasury Department announced sanctions against four people with links to Russia, including a Ukrainian lawmaker who met with Rudy Giuliani in December, for attempting to influence the U.S. presidential election. The lawmaker, Andriy Derkach, has been an “active Russian agent” for more than a decade and “waged a covert influence campaign” designed to cultivate unsupported narratives concerning officials in the presidential election, the department said. 

The U.S. intelligence community issued an assessment in August that warned of ongoing activity by China, Russia and Iran. Russia, according to the assessment, is actively trying to “denigrate” Biden, while China prefers Mr. Trump loses reelection. Iran, meanwhile, may attempt to “undermine” U.S. democratic institutions and the president through online content.

Christopher Krebs, head of the Cybersecurity and Infrastructure Security Agency, said they are aware of the hacking attempts detected by Microsoft and noted the efforts did not involve voting infrastructure or impact election systems.

“The announcement is consistent with earlier statements by the Intelligence Community on a range of malicious cyber activities targeting the 2020 campaign and reinforces that this is an all-of-nation effort to defend democracy,” Krebs said in a statement. “Everyone involved in the political process should stay alert against these sorts of attacks and today we are releasing guidance for improving cyber defenses against account compromise attacks.  We encourage anyone that experiences a cyber incident to report to CISA and the FBI.” 

Microsoft identified three hacking groups that have targeted hundreds of organizations, consultants, think tanks and political parties involved in the upcoming election. 

Strontium, operating from Russia and also known as Fancy Bear, has launched a series of attacks observed by Microsoft beginning in September 2019, seeking to steal login credentials or breach accounts, “presumably to aid in intelligence gathering or disruption operations,” Burt said. The hacking group’s targets include Republican and Democratic consultants, The German Marshall Fund of the United States and other think tanks, national and state party organizations in the U.S., and political parties in the United Kingdom.

The Russia-based group was behind the attacks on the Democratic presidential campaign in 2016 and identified in special counsel Robert Mueller’s report on Russian meddling in the last presidential election. 

According to Microsoft, Zirconium, operating from China, has mounted thousands of attacks between March and September, leading to nearly 150 compromises. The hacking group, which is targeting those associated with the presidential campaigns, “appears to have indirectly and unsuccessfully targeted the Joe Biden for President campaign through non-campaign email accounts belonging to people affiliated with the campaign. The group has also targeted at least one prominent individual formerly associated with the Trump administration.”

The China-based hackers are also targeting individuals in the international affairs community, as well as academics from more than 15 universities and accounts with links to 18 international affairs and policy organizations, such as the Atlantic Council and the Stimson Center, Microsoft said.

The third hacking group, Iran-based Phosphorus, has “operated espionage campaigns targeting a wide variety of organizations traditionally tied to geopolitical, economic or human rights interests in the Middle East region.” 

The group has attempted to hack the personal or work accounts of people involved with the election. Microsoft said between May and June, Phosphorus unsuccessfully tried to log into the accounts of Trump administration officials and staff for Mr. Trump’s campaign.

Thea McDonald, spokeswoman for the Trump campaign, said it takes “cybersecurity very seriously and do not publicly comment on our efforts.”

“As President Trump’s re-election campaign, we are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff,” she said. “We work closely with our partners, Microsoft and others, to mitigate these threats.”

The Biden campaign confirmed the attacks and said they unsuccessfully targeted “non-campaign email accounts of individuals affiliated with the campaign.”

“We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them,” the campaign said. “Biden for President takes cybersecurity seriously, we will remain vigilant against these threats, and will ensure that the campaign’s assets are secured.” 

Microsoft said it would continue to disclose additional activity and called for more federal funding in the U.S. to ensure states can protect their election infrastructure.

“While the political organizations targeted in attacks from these actors are not those that maintain or operate voting systems, this increased activity related to the U.S. electoral process is concerning for the whole ecosystem,” Burt said.