At a glance.
- Adversaries' interests in the US elections.
- More imposition of costs on individual threat actors.
- CISA advises US election officials on how to handle email-borne threats.
Microsoft's account of what the opposition is interested in during the 2020 US election season.
Microsoft yesterday described its findings on threats to the US election. Redmond has amassed evidence of extensive Russian, Chinese, and Iranian efforts to penetrate or impede US political campaigns. The attempts to gain access to campaign-related networks seem to have been generally unsuccessful, but the report is interesting in what it suggests about the three countries' goals. The target selection is about what one might expect, given the three governments’ general policy objectives.
Tehran really doesn’t like President Trump. The Iranian group Phosphorus (Microsoft's name; others call this one APT35 or Charming Kitten) is hitting personal accounts of people associated with President Trump’s campaign.
Beijing, on the other hand, seems interested in former Vice President Biden’s campaign for the Presidency. It also wants to keep a close eye on the US foreign policy establishment, probably because of the extent to which American sanctions against and woofing in the direction of Chinese companies have become a thorn in the Pandas’ paws. The Chinese group Zirconium (APT31 or Hurricane Panda) is most interested in “high-profile individuals associated with the election,” including some having to do with the Biden campaign as well as “prominent leaders in the international affairs community.” The interest in the Biden campaign may have more to do with collection against a possible incoming administration than it does with disruption of the campaign itself.
Moscow is looking for opportunistic trouble. Russia’s Strontium (APT28, the GRU’s Fancy Bear) has bipartisan interests, and has gone after more than two-hundred targets. Their target list runs to campaigns, political consultants, political parties, and advocacy groups.
Neal Dennis, Threat Intelligence Specialist at Cyware, forwarded some comments in an email:
"Microsoft's recent news about cyber espionage attempts targeting various political entities should come as no surprise. State-sponsored threat actors will always look for ways to glean information on political adversaries, first to better determine politicians' international viewpoints, second to leverage in likely to come disinformation campaigns. Politicians and their support staff, along with contracted service providers, should anticipate they will at some point be a target of an advanced persistent threat, not if but when. In a large swath of these targeted efforts, threat actors leveraged spear phishing and brute force attacks as primary methods. A robust and purposefully paranoid mindset around what comes to their inboxes, phones, and other communication platforms, along with strong industry best practices for password management would serve them well, though not mitigate 100% of their risk."
There's a dog that's not barking here. North Korea, which always rounds out the foursome of state-run threat actors, doesn't appear. North Korea News suggests a reason for Pyongyang's absence: North Korea is cash-strapped and in considerable financial pain. Its cyber operators are focused on redressing the country's shortfalls through direct theft. Influence operations are for the relatively more affluent Russia, China, and Iran, none of whom amount to pariah states by the standards the DPRK sets.
US authorities continue the policy of imposing costs on cyber threat actors.
The US Treasury Department announced yesterday that four individuals have been added to the Office of Foreign Assets Control's Specially Designated Nationals List for their role in foreign interference in US elections. This designation is independent of the information about election meddling Microsoft disclosed this week.
The people who've been placed on Treasury's list are Anton Nikolaeyvich Andreyev, Artem Mikhaylovich Lifshits, and Darya Dmitriyevna Aslanova, all of Saint Petersburg, Russia, and Andrii Leonidovych Derkach, of Kyiv, Ukraine. Treasury's announcement is laconic (although full of personal details) but the Wall Street Journal has filled in the picture. The case of Mr. Derkach is the most interesting. He's a Ukrainian lawmaker who, in the view of the US Government, has long acted as a Moscow stooge. As Treasury puts it, he is “complicit in foreign interference in an attempt to undermine the coming 2020 U.S. presidential election,” especially in retailing stories of Democratic candidate Biden's son Hunter as more deeply involved in Ukrainian corruption than the evidence would seem to warrant. The other three are, and this is no surprise, associated with the Internet Research Agency, the Kremlin's most prominent disinformation shop.
Treasury's website contains a brief explanation of what it means to be placed on the Specially Designated Nationals List: "Their assets are blocked and U.S. persons are generally prohibited from dealing with them."
CISA's advice to election officials.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday offered advice to all “election related entities” on steps they might take to counter email-based attacks. “Email systems are the preferred vector for initiating malicious cyber operations,” CISA says, adding that “Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing.”
In its advice CISA divides email attacks into two general categories: phishing and credential stuffing. Their audience is election officials and the IT people who support them, but any organization that uses email might profit from them:
- If you’re using cloud email, use the protections your cloud provider offers.
- Secure the user accounts on high-value services.
- Use email authentication and other best practices.
- If you’re running your own email gateway, secure it.