Microsoft on Monday said it has torpedoed a pair of websites designed to steal credentials from visitors to two Republican Party think tanks.
The malicious websites were among six the company took down last week. A group of hackers affiliated with the Russian military created the sites, according to Microsoft. The group apparently was the same group that stole a cache of email from the Democratic National Committee during the 2016 presidential campaign.
A U.S. court order allowed Microsoft to disrupt and take control of the domain names for the websites. The names were crafted to spoof the domains of legitimate websites, including the Hudson Institute and the International Republican Institute, both well-known GOP think tanks.
“Attackers want their attacks to look as realistic as possible, and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit,” explained Microsoft President Brad Smith.
Microsoft has used the court order tactic 12 times in the past two years to take down 84 websites associated with the Russian hacking groups known as “Strontium,” “Fancy Bear” and “APT28,” Smith noted.
The domains Microsoft took offline indicate Fancy Bear has been broadening its target pool, Smith said. In addition to the GOP think tanks, which have been outspoken in their criticism of Russian President Vladimir Putin, four domains referenced the U.S. Senate, which hasn’t been a friend of Putin either.
Microsoft’s Digital Crime Unit had no evidence the cashiered domains were used in any successful attacks, Smith was careful to note, nor did it know the identity of the ultimate targets of any planned attack involving the domains.
The attack on the Republican think tanks is consistent with past behavior by Russian hacking groups, said Ross Rustici, senior director of intelligence services at Cybereason, an endpoint security company in Boston.
“If you look at Russian targeting, they always attack organizations that are critical of Putin and his regime,” he told TechNewsWorld.
“Both nonprofits highlighted by Microsoft have been consistently critical of Putin and his regime, so it doesn’t surprise me at all that they would be targets of Russian hacking attempts,” Rustici said. “The Russians don’t care which side of the aisle their target’s on. They’re looking to take down anybody that’s critical of Putin.”
Sowing Confusion, Conflict and Fear
Cyberattacks are nothing new to the International Republican Institute.
“IRI has been targeted in the past and has taken proactive steps to defend ourselves from these types of cybersecurity threats,” said President Daniel Twining.
“This latest attempt is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights,” he noted. “It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime.”
The Hudson Institute believes the Russian attack was meant to disrupt the organization’s democracy-promotion programs, particularly those aimed at exposing kleptocratic regimes, said spokesperson Carolyn Stewart.
“This is not the first time authoritarian overseas regimes have attempted to mount cyberattacks against Hudson, our experts, and their friends and professional associates,” she said. “We expect it will not be the last.”
Low Risk, High Reward
Despite Microsoft’s recent successful efforts to crack down on malicious Web activity, significant challenges lie ahead.
“It’s not that difficult to spoof these sites all over again,” said Parham Eftekhari, executive director of the Institute for Critical Infrastructure Technology, a cybersecurity think tank in Washington, D.C.
“That’s why this tactic is so appealing. It’s low risk, high reward,” he told TechNewsWorld.
“The success rate for spearphishing emails is 10 to 20 percent. That means that out of 100 employees, 10 to 20 of them are opening and responding to a lure that gives an attacker access to a network,” Eftekhari pointed out.
“It’s very easy to register things that are very close to legitimate companies or think tank names and use them for phishing attempts,” said Cybereason’s Rustici. “Unless you’re monitoring all the possible permutations, it’s easy to miss these.”
Reducing Election Meddling
Microsoft’s efforts could have a very disruptive impact on a the hackers’ efforts, said Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company based in Sunnyvale, California.
“It takes a lot of effort to build credible stories with credible websites and have enough visibility for those websites to actually draw traffic,” he told TechNewsWorld. “The perpetrators cannot just duplicate their content elsewhere because a lot of technology is pretty good at identifying similar content, knowing what’s fake and blocking it.”
Operations like Microsoft’s could help reduce election meddling in the upcoming mid-term elections, but not completely eliminate it, said Hahad.
Swaying election results may be only part of a long-term strategy that includes compromising candidates, he suggested.
“Having spyware on a candidate’s phone or laptop may actually turn out to be advantageous for an adversary when the candidate is elected versus trying to elect someone more favorable to their positions,” said Hahad.
Risk of Distrust
There has been progress in lowering the risk of election meddling since 2016, said the ICIT’s Eftekhari.
“There’s been a significant increase in awareness between the presidential election and now,” he noted. “There’s also been progress by DHS and the states in improving election infrastructure.”
Although there have been headline-grabbing reports about voter machine hacking, those hacks require physical access to a machine, which makes them highly unlikely.
“The bigger risk is the threat to the integrity of an election an adversary can create by sowing seeds of distrust of the Democratic process in the minds of voters,” Eftekhari said.
There’s also the eternal problem of change.
“We’re very good at fighting the last war, but the Russians are very good at evolving their game,” Cybereason’s Rustici said.
“I suspect if they’re going to do a psychological operation around the elections, the way they do it will be different than what they did in 2016,” he added. “How effective the defenses we’ve built for what they did in 2016 will be for those attacks is yet to be seen.”