Microsoft recently accused hacking groups from Russia, China, and Iran of targeting hundreds of organizations tied to the upcoming U.S. election, and other security experts see the same trends.
Three hacking groups, one each from Russia, China, and Iran, have initiated cyberattacks against many organizations, including the presidential campaigns of Donald Trump and Joe Biden, Tom Burt, Microsoft’s corporate vice president for customer security and trust, wrote in a Sept. 10 blog post.
“The activity we are announcing … makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported,” he wrote.
In many cases, the attacks were detected and stopped by the company’s security products, Burt added. Nevertheless, the Strontium hacking group, operating from Russia, has recently attacked more than 200 organizations, including political campaigns, advocacy groups, political parties, and political consultants serving both major U.S. parties.
Strontium is trying to harvest targeted people’s log-in credentials or to compromise their accounts, “presumably to aid in intelligence gathering or disruption operations,” Burt wrote.
Also, the Zirconium hacking group, based in China, has attacked high-profile people associated with the election, including some related to the Biden presidential campaign and prominent leaders in the international affairs community.
Microsoft has detected thousands of attacks from the group between March and September, with 150 compromises, the company said. The group has targeted the Biden campaign and one prominent person formerly associated with the Trump administration.
Finally, since May, Phosphorus, from Iran, has attacked the personal accounts of people associated with the Trump campaign.
The Microsoft report, especially the information on Russian hacking, is consistent with the activity other security experts are seeing, it said.
Tracking attacks from so-called advance persistent threats such as these hacking groups “can be cumbersome for even the most mature threat intelligence organizations, but I tend to agree that other vendors are seeing the same thing in regards to attribution and who is attempting to influence the election,” said Dennis Wilson, global director of SpiderLabs at security vendor Trustwave.
In each of the groups identified by Microsoft, the countries involved have much to gain or lose depending on whether Biden or Trump is elected in November, he told the Washington Examiner.
“Gaining a foothold into either campaign can help a foreign influence attempt to steer U.S. elections toward the outcome that is most beneficial to them.”
The Russian Strontium group has been an advanced persistent threat for at least four years, added Matt Stern, CISO of Intelligent Waves, an IT systems integrator and security vendor. The group was tied to U.S. election attacks in 2016, he said.
“I have not seen connections to Phosphorus and Zirconium and elections in the past,” Stern told the Washington Examiner. “But I trust the Microsoft Threat Intel Center as the top of the game, and we should be concerned with the security of our electoral process.”
Stern offered a theory on why Strontium is targeting organizations on both sides of the presidential election. “All three of these [groups] have their own agendas for affecting U.S. elections and our country’s confidence in our own electoral system,” he said. “If their agenda is to sow chaos so that we, as a nation, are focused in another direction, it may allow them to insert themselves someplace else.”
The hacking groups appear to be focused on creating fear, uncertainty, and doubt about U.S. elections systems, added John Dickson, principal at security vendor Denim Group.
“When you are trying to undermine confidence across the entire election process, you have a wide aperture,” he told the Washington Examiner. “Nation-state actors are less interested in influencing the outcome of one election as they are in creating chaos and confusion around the campaigning and vote collection processes, which ultimately undermine our confidence in the broader electoral process.”
The hacking group has many avenues of attack when they target U.S. elections, he added.
“The surface area for voting infrastructure is so expansive,” Dickson said. “I suspect they will start with political campaigns given there are so many of them, and they remain the soft underbelly of the election security problem.”
