Microsoft Seizes Domains Set Up by Russian Cyberspies
Microsoft has seized six domains that were registered by Russian cyberespionage group Fancy Bear and mimicked the websites of U.S. political organizations and think tanks.
“One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate,” Brad Smith, president and chief legal officer of Microsoft, said in a blog post announcing the action. “Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices.”
The seizure of the domains was the result of a court order obtained by Microsoft’s Digital Crimes Unit (DCU) on the basis that there’s “good cause” to believe Fancy Bear, also known as APT28 and Strontium, is “likely to continue” its conduct of targeting U.S. political organizations and attempts to interfere with U.S. elections.
Last month, the U.S. Department of Justice indicted 12 officers of the Russian military intelligence agency GRU for their involvement in cyberattacks against the U.S. Democratic Party and subsequent interference in the 2016 U.S. presidential elections. The indictment directly links the X-Agent malware, the main tool of APT28, to the GRU.
Microsoft did not observe any attempts to use the newly seized domains in attacks and doesn’t have any information about the group’s planned targets. However, over the past two years, the company seized 84 similarly fake websites set up by APT28.
“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit,” Smith said. “The sites involved in last week’s order fit this description.”
Microsoft has notified the International Republican Institute and the Hudson Institute about the rogue domains and has also been closely working with the Senate’s IT staff over the past few months after staff members of two senators were targeted in the past.
“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Smith said. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”
Microsoft also decided to expand its Defending Democracy Program launched in April with a new initiative called AccountGuard that will offer threat notification, security guidance and ongoing education for free to candidates, campaign offices, think tanks and political organizations who use Office 365.
Google Sends Thousands of Warnings About Government-Backed Phishing Every Month
Google has been notifying Gmail users for years whenever it detects government-sponsored phishing attempts against their accounts and is also offering a program that enforces stronger security controls.
“Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers,” said Shane Huntley from the Threat Analysis Group at Google in a blog post. “These attempts come from dozens of countries. Since 2012, we’ve shown prominent warnings within Gmail notifying users that they may be targets of these types of phishing attempts; we show thousands of these warnings every month, even if we have blocked the specific attempt.”
G Suite administrators also receive automated notifications when users from their organizations are targeted in suspected government-backed attacks. High-value users such as journalists, activists, business leaders and political campaign teams can enroll in Google’s Advanced Protection Program which enforces authentication based on hardware security keys and limits the types of apps users can link to their Google accounts.