Microsoft calls out Moscow, Beijing, and Tehran for targeting US election.
Microsoft has observed extensive Russian, Chinese, and Iranian efforts to target people and organizations associated with the upcoming US election. Redmond says these findings are consistent with the overview of these threats published last month by the US Office of the Director of National Intelligence.
Strontium (also known as Fancy Bear or APT28, the unit of Russia's GRU that hacked the DNC in 2016) has "attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants." Microsoft says the threat actor is using new tools and techniques this time around: "In 2016, the group primarily relied on spear phishing to capture people’s credentials. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity."
Zirconium (a Chinese state-sponsored threat actor, also tracked as APT31), is targeting "people closely associated with U.S. presidential campaigns and candidates." The group unsuccessfully tried to hack email accounts belonging to people affiliated with Joe Biden's presidential campaign, and "targeted at least one prominent individual formerly associated with the Trump Administration." Zirconium has also targeted "prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations including the Atlantic Council and the Stimson Center."
Phosphorous (an Iran-aligned group also known as APT35 or Charming Kitten) "has attempted to access the personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election. Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff."
Microsoft also concludes that additional Federal funding is needed to secure states' election infrastructure: "While the political organizations targeted in attacks from these actors are not those that maintain or operate voting systems, this increased activity related to the U.S. electoral process is concerning for the whole ecosystem."