Microsoft: We've just messed up Russian plans to attack US 2018 midterm elections

Claiming a win over Russian plans to hack US politicians, Microsoft unveils a new security service to detect attacks expected in the lead-up to the midterms.
Written by Liam Tung, Contributing Writer

Microsoft has once again turned to US courts to seize six internet domains it says the notorious Fancy Bear hackers had set up for spearphishing US politicians and think-tanks ahead of the midterm elections in November.

Along with the domain seizures, Microsoft has launched a new security service dubbed Microsoft AccountGuard, which will be available at no charge to all current US federal, state and local candidates, so long as they're using Office 365.

The service includes threat detection and notifications for eligible Office 365, Outlook.com, and Hotmail accounts.

Microsoft will directly notify these organizations if it detects new threats targeting users' corporate email addresses and personal accounts, while offering early access to security features usually reserved for large business and government customers.

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (TechRepublic)

The domains seized were designed to mimic websites of the International Republican Institute, whose board includes six Republican senators, conservative think-tank the Hudson Institute, the ADFS (Active Directory Federation Services) email service of the US Senate, and Microsoft's Office 365 and OneDrive services.

Microsoft said the sites were created by Fancy Bear hackers, widely believe to be linked to the Russian military.

US intelligence accused Fancy Bear of hacking the Democratic National Committee's computers in 2016 and leaking sensitive emails via WikiLeaks to sway the presidential election in favor of Donald Trump and harming his opponent, Hillary Clinton. That hack occurred after a spearphishing attack against officials from Clinton's campaign team.

"Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit. The sites involved in last week's order fit this description," said Microsoft president and chief legal officer Brad Smith.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

He said Microsoft was concerned the attempts posed security threats to a broadening array of groups connected with both US political parties in the lead-up to the midterm elections.

However, he noted that Microsoft has no evidence the domains have been used in any successful attack and does not have evidence who the ultimate targets were.

"Despite last week's steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups, and think-tanks across the political spectrum in the United States," he noted.

"Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."

The domain seizure was led by Microsoft's Digital Crimes Unit, which has used similar court orders 12 times in two years to shut down 84 bogus websites linked to the Fancy Bear, which Microsoft calls Strontium, and is also known as APT28.

Microsoft's action follows the indictment by the Justice Department in July of 12 officials from the GRU, Russia's main intelligence directorate, over the DNC hack.

Previous and related coverage

Russian election meddling continues, says US: So why can't it be stopped?

The US is struggling to find a way to deter hacking and other interference.

US election hack: Microsoft wins latest round in court against Fancy Bear phishers

A US judge has banned the Fancy Bear hackers from attacking Microsoft's customers.

Fancy Bear strikes again: Russian hackers accessed IAAF athletes' medical data in cyberattack

Confidential medical data about athletes "seems to have been removed from the server" of the world athletics governing body.

FBI to all router users: Reboot now to neuter Russia's VPNFilter malware

The FBI is recommending that all small business and home router owners reboot devices, even if they're not among the brands known to be affected.

Russians suspected of new German attack may 'have been inside system for a year'

German intelligence services and federal specialists are investigating "an IT security incident".

Beware of Russian attackers impersonating LoJack security software to hack computers TechRepublic

The popular anti-theft software, which is built into many popular computers at the BIOS level, is being impersonated by Fancy Bear.

US takes aim at Russian hackers who infected over 500,000 routers CNET

The VPNFilter malware targeted devices worldwide from Linksys, MikroTik, Netgear and TP-Link.

Editorial standards