Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Microsoft Disrupts Election-Related Domains Used by Russian Hackers

Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

Microsoft on Monday announced that it took control of several domains associated with a notorious Russia-linked threat actor. The names of the domains suggest the hackers may have been using them in campaigns related to the upcoming midterm elections in the United States.

The tech giant’s Digital Crimes Unit obtained a court order to take control of six domains created by a threat group tracked as APT28, Fancy Bear, Pawn Storm, Strontium, Sednit, Tsar Team and Sofacy.

APT28, which experts believe is sponsored by Russia’s GRU intelligence agency, has been known to launch politics-focused campaigns, including ones aimed at the latest presidential elections in the United States and France. The group may now be targeting the upcoming midterm elections in the U.S.

The domains seized by Microsoft are my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.

The first domain appears to mimic the International Republican Institute, a non-profit that receives funding from the U.S. government to promote democracy around the world. The second domain appears to impersonate the Hudson Institute, a politically conservative non-profit think tank. The other domains mimic the website of the U.S. Senate and Microsoft’s Office 365 service.

While the domains may have been set up for election-related campaigns, Microsoft says it currently has no evidence that any of them were successfully used in attacks, and it’s unclear exactly who the hackers intended on targeting using these domains.

The company revealed last month that it had spotted some Microsoft phishing domains that had apparently been set up as part of attacks aimed at the campaigns of three congressional candidates who are running in the upcoming midterm elections.

“Microsoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators,” Brad Smith, Microsoft’s president and chief legal officer, said in a blog post.

This is not the first time Microsoft has seized domains used by APT28. The company says it has used court orders a total of 12 times over the past two years to shut down 84 fake websites linked to the threat group.

Sean Sullivan, Security Advisor at F-Secure, cautioned that the domains targeted by Microsoft may not necessarily be related to elections.

“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue,” Sullivan told SecurityWeek. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”

Microsoft took this opportunity to announce its new AccountGuard initiative, which provides free cybersecurity protection to candidates, campaigns and political institutions using Office 365.

The AccountGuard service, which is part of Microsoft’s Defending Democracy Program, involves notifications about threats, security guidance and education, and the opportunity to test preview releases of new security features.

AccountGuard is currently available only in the United States, but Microsoft plans on offering it in other countries as well in the coming months.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.