Russian, Chinese and Iranian hackers have mounted cyberattacks against hundreds of organizations and people involved in the 2020 presidential race and U.S.-European policy debates, with targets including the campaigns of both Donald Trump and Joe Biden, Microsoft said Thursday.
The report is the most expansive public warning to date about the rapid spread of foreign governments’ efforts to wield hackers to undermine U.S. democracy.
The perpetrators include the same Kremlin-aligned Russian hacking group whose thefts and leaks of confidential Democratic Party documents helped torpedo Hillary Clinton’s presidential hopes in 2016, said Microsoft, which offers products designed to detect such attacks.
Microsoft said Russia’s targets this time included political parties in the U.S. and Europe, while Chinese hackers went after people in Biden’s campaign and Iranians attempted to breach the accounts of Trump’s campaign staff. Hackers also attacked political consultants, think tanks and groups such as the German Marshall Fund and Stimson Center that promote international cooperation.
“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated,” Microsoft said in a blog post. It added that its security tools detected and blocked “the majority of these attacks.”
The company did not answer numerous questions from POLITICO seeking more details.
The revelations come amid a feud between congressional Democrats and the administration over what it knows about foreign threats against the election, in particular the Democrats’ accusations that Trump’s intelligence leaders are failing to alert the public about the Kremlin’s activities.
Trump and his supporters have pushed a message that the Chinese are trying to help Biden — a claim not supported by intelligence officials, who have told POLITICO that Russia’s efforts pose the most active and acute danger. A whistleblower’s report released Wednesday also alleged that the president’s appointees at the Department of Homeland Security have sought to suppress or censor reports on Russian influence activities and focus instead on China and Russia.
An official intelligence community statement last month said China prefers that Trump not be reelected, that Russia is denigrating Biden and that Iran is undermining the president.
Several of the hackers’ targets confirmed Microsoft’s reporting, though none said the cyberattacks had succeeded.
“As President Trump’s re-election campaign, we are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff,” said Thea McDonald, deputy press secretary for the president’s campaign team. “We work closely with our partners, Microsoft and others, to mitigate these threats. We take cybersecurity very seriously and do not publicly comment on our efforts.”
Likewise, the Republican National Committee has “been informed that foreign actors have made unsuccessful attempts to penetrate the technology of our staff members,” an RNC spokesperson said.
Biden’s campaign said it too was aware of Microsoft’s findings. “We have known from the beginning of our campaign that we would be subject to such attacks and we are prepared for them,” the campaign said.
Microsoft has also alerted SKDKnickerbocker, one of Biden’s chief communications and strategy firms, that Russian hackers had unsuccessfully targeted its networks, Reuters said early Thursday ahead of the report’s release. Those attempts also failed, Reuters reported. The firm did not respond to later requests for comment.
The attacks on the Stimson Center were first observed in May, spokesperson David Solimini said, and Microsoft notified the think tank about the nature and source in late July. He and German Marshall Fund spokesperson Sydney Simon both said they’d seen no evidence that the attacks succeeded.
Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Microsoft’s findings are “consistent with earlier statements by the Intelligence Community on a range of malicious cyber activities targeting the 2020 campaign.”
“It is important to highlight that none [of the targets] are involved in maintaining or operating voting infrastructure and there was no identified impact on election systems,” Krebs said in a statement. He added, “Everyone involved in the political process should stay alert against these sorts of attacks.”
The Treasury Department announced its own steps to combat Kremlin interference Thursday, saying it was imposing sanctions on pro-Russian Ukrainian lawmaker Andriy Derkach for promoting discredited allegations against Biden.
Graham Brookie, director of the Atlantic Council’s Digital Forensic Research Lab, confirmed that his group had been the target of apparently unsuccessful attacks from Chinese hackers, but cautioned that those did not appear election-related.
“It is not surprising that we would be targeted by China, based on the substance of our work,” Brookie said. “This appeared to be about information gathering and espionage as opposed to election interference of any kind.”
Among other details, Microsoft reported that:
— The hacking group popularly known as Fancy Bear, which is linked to Russian military intelligence and played a major role in the 2016 attacks on Democrats, has gone after more than 200 organizations in recent months, “presumably to aid in intelligence gathering or disruption operations.” (The group is also known as APT28, and Microsoft refers to it as Strontium.)
The Russians’ targets include political campaigns, national and state party organizations, consultants for both parties and think tanks in the U.S., as well as British political parties and the European People’s Party. “Others that Strontium targeted recently include businesses in the entertainment, hospitality, manufacturing, financial services and physical security industries.”
— A Chinese hacking group called Zirconium or APT31 has attacked the non-campaign email accounts of high-profile people in Biden’s campaign, plus at least one prominent person formerly associated with the Trump administration, the tech giant said. The Chinese group has also targeted “prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations including the Atlantic Council and the Stimson Center.”
— Phosphorus, an Iranian hacker group often called Charming Kitten, has gone after the personal and work accounts of Trump campaign staffers and administration officials.
Microsoft’s blog post said that it had blocked the majority of the attacks, and had gotten a federal court’s permission to take control of 25 new internet domains the Iranians were using.
The company’s analysis offered some new details on the hackers’ methods.
For instance, in 2016 the Russian group primarily relied on so-called spearphishing, which tricks victims into clicking on malicious email links to gain access to documents that it later released through outlets like WikiLeaks. But in recent months, Russia has shifted toward more crude “brute force” attacks and a technique called password spray, in which hackers input many passwords in a bid to guess their way into a system.
“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service,” wrote Tom Burt, corporate vice president for customer security and trust. “Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”
This is far from the first time that a company in the cybersecurity business, not the federal government, has been the first to go public with details about major attacks against their customers by nation-states. Previous examples include a landmark 2013 report by the cyber firm Mandiant on Chinese Army-connected hackers conducting cyber espionage against U.S. critical infrastructure like the electrical power grid.
Meridith McGraw and Natasha Bertrand contributed to this report.