Microsoft Seizes Domains Set Up by Russian Cyberspies

Microsoft has seized six domains that were registered by Russian cyberespionage group Fancy Bear and mimicked the websites of U.S. political organizations and think tanks.

“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate,” Brad Smith, president and chief legal officer of Microsoft, said in a blog post announcing the action. “Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices.”

AWS Builder Community Hub

The seizure of the domains was the result of a court order obtained by Microsoft’s Digital Crimes Unit (DCU) on the basis that there’s “good cause” to believe Fancy Bear, also known as APT28 and Strontium, is “likely to continue” its conduct of targeting U.S. political organizations and attempts to interfere with U.S. elections.

Last month, the U.S. Department of Justice indicted 12 officers of the Russian military intelligence agency GRU for their involvement in cyberattacks against the U.S. Democratic Party and subsequent interference in the 2016 U.S. presidential elections. The indictment directly links the X-Agent malware, the main tool of APT28, to the GRU.

Microsoft did not observe any attempts to use the newly seized domains in attacks and doesn’t have any information about the group’s planned targets. However, over the past two years, the company seized 84 similarly fake websites set up by APT28.

“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit,” Smith said. “The sites involved in last week’s order fit this description.”

Microsoft has notified the International Republican Institute and the Hudson Institute about the rogue domains and has also been closely working with the Senate’s IT staff over the past few months after staff members of two senators were targeted in the past.

“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Smith said. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

Microsoft also decided to expand its Defending Democracy Program launched in April with a new initiative called AccountGuard that will offer threat notification, security guidance and ongoing education for free to candidates, campaign offices, think tanks and political organizations who use Office 365.

Google Sends Thousands of Warnings About Government-Backed Phishing Every Month

Google has been notifying Gmail users for years whenever it detects government-sponsored phishing attempts against their accounts and is also offering a program that enforces stronger security controls.

“Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers,” said Shane Huntley from the Threat Analysis Group at Google in a blog post. “These attempts come from dozens of countries. Since 2012, we’ve shown prominent warnings within Gmail notifying users that they may be targets of these types of phishing attempts; we show thousands of these warnings every month, even if we have blocked the specific attempt.”

G Suite administrators also receive automated notifications when users from their organizations are targeted in suspected government-backed attacks. High-value users such as journalists, activists, business leaders and political campaign teams can enroll in Google’s Advanced Protection Program which enforces authentication based on hardware security keys and limits the types of apps users can link to their Google accounts.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin