APT28 looms large on the radar

Nation-state attacks linked to the US election have already begun, warns Microsoft

Microsoft has gone public with evidence that nation-state cyber-attacks targeting individuals and organizations involved in the upcoming US election have already begun.

The systematic assaults bear the hallmarks of previously identified groups Strontium (Russia), Zirconium (China) and Phosphorus (Iran).

Microsoft’s corporate vice president Tom Burt said it had spotted “unsuccessful attacks on people associated with both the Trump and Biden campaigns”.

Strontium – more commonly known as ‘APT28’, a unit of Russian military intelligence – has loomed large on Microsoft’s radar because of Office 365 credential harvesting attacks “aimed at US and UK organizations directly involved in political elections”.

Compromised credentials are harvested using spear-phishing and similar tactics. These login details are often not used immediately but held in reserve and brought into play in follow-up surveillance or intrusion operations.

Meanwhile Zirconium, operating from China, has “attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community,” according to Microsoft.

And elsewhere Phosphorus, operating from Iran, has “continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign”.

Strontium magnet

Between September 2019 and June 2020, Strontium on its own launched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations.

Its targets included US-based consultants serving Republicans and Democrats; think tanks such as The German Marshall Fund of the United State; advocacy organizations and political parties in the US and UK; and more.

INSIGHT Europe falling behind the US and China on cybersecurity funding, expertise

“In the two weeks between August 18 and September 3, the same attacks targeted 6,912 accounts belonging to 28 organizations,” Microsoft warns in a blog post. “None of these accounts were successfully compromised.”

“Not all the targeted organizations were election-related. However, we felt it important to highlight a potential emerging threat to the 2020 US Presidential Election and future electoral contests in the UK,” it added.

As well as targeting groups in politics, Strontium is also said to have scoped out various parties in the entertainment, hospitality, manufacturing, financial services, and physical security industries.

Hack early, hack often

APT28 is one of two Kremlin-linked threat groups blamed for the infamous hack of the DNC’s systems and subsequent leak of politically embarrassing emails during the 2016 US presidential election cycle.

Microsoft recently alerted one of Democratic presidential candidate Joe Biden’s main election campaign advisory firms that it had been targeted by suspected Russian state-backed hackers, Reuters reports.

Tarik Saleh, senior security engineer and malware researcher at DomainTools, commented: “As we approach November, it is very likely that we will see an uptick in foreign state-sponsored attempts to sway the democratic process.

“The fact that there was an attempt to compromise SKDK's network but that the cyber defences in place were sufficient to spot and block the attack is certainly a good sign.”

READ MORE Who is behind APT29? What we know about this nation-state cybercrime group