Microsoft said it uncovered a Russian security threat and seized control of six fake political websites created by a criminal group with ties to the Kremlin.
Last week a court transferred control of six internet domains to Microsoft from a state-sponsored hacking group called APT28 or Fancy Bear, which is one of the two Russian groups responsible for hacking incidents during the 2016 U.S. presidential campaign. It’s also the same group Cisco said used malware to infect at least 500,000 routers and storage devices globally. Cisco’s threat research prompted the FBI to seize part of the malware’s command-and-control infrastructure.
Microsoft said it has used this court order approach 12 times in two years to shut down 84 fake websites associated with Fancy Bear. The group creates realistic-looking websites and URLs that look like sites their targeted victims would visit. They can then use these fake URLs to redirect visitors to hacker-controlled websites and steal passwords and other information.
In this most recent case the sites appeared to mimic the International Republican Institute, whose board includes six Republican senators, and conservative think tank the Hudson Institute. Other domains appear to reference the Senate (see below).
Microsoft says it doesn’t have any evidence that the hackers used the domains in any successful attacks and it doesn’t know the ultimate targets of any planned attacks. The company is also monitoring domain activity with Senate IT staff following earlier attacks detected on two current senators' staffs.
“We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” wrote Microsoft President Brad Smith, in a blog post. “That’s why today we are expanding Microsoft’s Defending Democracy Program with a new initiative called Microsoft AccountGuard.”
This new service will provide threat alerts and security guidance for all candidates and campaign offices at the federal, state, and local level, as well as think tanks and political organizations. It will be free to candidates and political groups using Office 365.
Smith Calls on Tech LeadersIn the blog, Smith called on other tech companies to step up their efforts to prevent Russian interference in U.S. elections. “Broadening cyberthreats to both U.S. political parties make clear that the tech sector will need to do more to help protect the democratic process,” he wrote.
He also repeated his call for a Digital Geneva Convention that commits governments to protecting civilians from state-sponsored cyberattacks.
Smith first introduced this idea during his RSA Conference keynote in 2017. During his keynote at this year's event, Smith launched the Cybersecurity Tech Accord, a global agreement initially signed by 34 companies that pledged to protect their customers from attacks by cybercriminals and nation states, and vowed not to help governments launch cyberattacks.
Earlier this month the Tech Accord companies said they will tackle router safety as their first action, and they endorsed the Mutually Agreed Norms for Routing Security (MANRS).