Microsoft Disrupts Election-Related Domains Used by Russian Hackers

Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

The tech giant’s Digital Crimes Unit obtained a court order to take control of six domains created by a threat group tracked as APT28, Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team and Sofacy.

APT28, which experts believe is sponsored by Russia’s GRU intelligence agency, has been known to launch politics-focused campaigns, including ones aimed at the latest presidential elections in the United States and France. The group may now be targeting the upcoming midterm elections in the U.S.

The domains seized by Microsoft are my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.

The first domain appears to mimic the International Republican Institute, a non-profit that receives funding from the U.S. government to promote democracy around the world. The second domain appears to impersonate the Hudson Institute, a politically conservative non-profit think tank. The other domains mimic the website of the U.S. Senate and Microsoft’s Office 365 service.

While the domains may have been set up for election-related campaigns, Microsoft says it currently has no evidence that any of them were successfully used in attacks, and it’s unclear exactly who the hackers intended on targeting using these domains.

The company revealed last month that it had spotted some Microsoft phishing domains that had apparently been set up as part of attacks aimed at the campaigns of three congressional candidates who are running in the upcoming midterm elections.

“Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators,” Brad Smith, Microsoft’s president and chief legal officer, said in a blog post.

This is not the first time Microsoft has seized domains used by APT28. The company says it has used court orders a total of 12 times over the past two years to shut down 84 fake websites linked to the threat group.

Sean Sullivan, Security Advisor at F-Secure, cautioned that the domains targeted by Microsoft may not necessarily be related to elections.

“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue,” Sullivan told SecurityWeek. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”

Microsoft took this opportunity to announce its new AccountGuard initiative, which provides free cybersecurity protection to candidates, campaigns and political institutions using Office 365.

The AccountGuard service, which is part of Microsoft’s Defending Democracy Program, involves notifications about threats, security guidance and education, and the opportunity to test preview releases of new security features.

AccountGuard is currently available only in the United States, but Microsoft plans on offering it in other countries as well in the coming months.