Microsoft warns Russia, China and Iran targeting US election

Microsoft on Thursday reported that it is seeing “increasing” cyberattacks originating in Russia, China and Iran targeting its customers, including attacks against political groups and the presidential campaigns of President Trump and former Vice President Joe Biden.

Tom Burt, corporate vice president of customer security and trust at Microsoft, detailed in a blog post the efforts by three major foreign hacking groups to target the campaigns, along with other political organizations and individuals.

“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported,” Burt wrote. 

These efforts included Russian hacking group “Strontium” targeting more than 200 organizations, political campaigns and parties over the past year, including U.S.-based consultants for the Democratic and Republican parties, think tanks such as the German Marshall Fund and political parties in the United Kingdom. 

Strontium, also known as “Fancy Bear,” is the same group that hacked into the Democratic National Committee networks in 2016.

Microsoft took legal action against the group in 2017, with a federal court ordering the group to stop targeting Microsoft customers and using Microsoft logos in malicious email phishing campaigns. 

“Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations,” Burt wrote. “In 2016, the group primarily relied on spear phishing to capture people’s credentials. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations.” 

A second hacking effort announced by Microsoft on Thursday involved Chinese-based hacking group “Zirconium.” Microsoft reported evidence of “thousands” of attempted attacks by the group between May and September, with nearly 150 successful compromises.

Among the individuals targeted unsuccessfully by Zirconium were Biden campaign staffers. The group went after non-campaign emails.

Zirconium also targeted an unnamed former Trump administration official, along with individuals in the international affairs community, including those at 15 universities and groups such as the Atlantic Council and the Stimson Center. 

“Zirconium, operating from China, has attempted to gain intelligence on organizations associated with the upcoming U.S. presidential election,” Burt wrote.

Additionally, Microsoft has observed continued attempts by Iranian cyber threat group “Phosphorus” to target the personal accounts of Trump campaign staffers. Phosphorus stepped up efforts between May and June to access personal or work email accounts of the staffers. 

Microsoft previously put out an alert last year warning of attempts by Phosphorus to target an unnamed U.S. presidential campaign, which Reuters later reported was the Trump campaign. Microsoft took legal action against the group prior to this, filing a court case enabling the company to take control of 99 websites used by Phosphorus to conduct hacking operations. 

Burt noted that the majority of the attempted cyberattacks by all three groups were unsuccessful, and that all those whose accounts were targeted or compromised had been notified. 

The assessment by Microsoft was published a month after a senior official at the Office of the Director of National Intelligence put out a statement warning that Russia, China and Iran were actively taking steps to interfere in the U.S. presidential election, with Russian actors favoring Trump, and Chinese and Iranian groups favoring Biden. 

A spokesperson for the Biden campaign did not respond to The Hill’s request for comment on Microsoft’s findings.

Thea McDonald, deputy national press secretary for the Trump campaign, told The Hill that it was “not surprising” that foreign groups were targeting the organization. 

“As President Trump’s re-election campaign, we are a large target, so it is not surprising to see malicious activity directed at the campaign or our staff,” McDonald said. “We work closely with our partners, Microsoft and others, to mitigate these threats. We take cybersecurity very seriously and do not publicly comment on our efforts.”

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) put out a report on Thursday recommending steps groups can take to counter foreign cyberattacks targeting email systems, emphasizing the need for organizations with ties to elections to take additional security measures.  

“Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals,” CISA wrote. “Email systems are the preferred vector for initiating malicious cyber operations.”

Acting DHS Secretary Chad Wolf said in a statement Thursday that Microsoft’s assessment “reaffirms” previous DHS communications on election security threats. 

“Protecting our elections is a team effort with the federal government and the private sector joining together to thwart foreign malign actors,” Wolf said. “Today’s announcement from Microsoft reaffirms my statements in the recent State of the Homeland Address: China, Iran, and Russia are trying to undermine our democracy and influence our elections.”

“I applaud Microsoft’s efforts to defend democracy against these attacks and for their transparency on this critical issue,” he added. 

Several key members of Congress reacted strongly to the news of the attempted cyberattacks, including Sen. Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee, a panel that conducted a bipartisan years-long investigation into Russian interference during the 2016 presidential election. 

“We’ve said it all along: Russia will be back,” Warner tweeted Thursday. “We need to be prepared.”

Sen. Ben Sasse (R-Neb.), a member of the Senate Intelligence Committee, said in a statement that “Microsoft’s warning is consistent with the Intelligence Community’s long-standing assessments: China and Russia want to sow distrust ahead of the 2020 election.”

“In Beijing, Chairman Xi wants Biden to win; in Moscow, Vladimir Putin wants Trump to win; both of these miserable SOBs have the same goal of turning Americans against each other,” Sasse said. “The United States needs to make it clear that China and Russia will face severe consequences for hacks and disinformation campaigns. Chinese communists and Russian oligarchs don’t get to vote in America’s elections.”

Burt wrote that Microsoft made its findings public because the company believes “it’s important the world knows about threats to democratic processes.”

He also urged Congress to appropriate more federal funds to help campaigns and election officials defend against malicious cyber actors. Congress has appropriated over $800 million for election security since 2018 in addition to the $400 million included in the CARES Act stimulus bill in March to help address challenges to elections posed by the COVID-19 pandemic.  

Election officials and experts have argued a further $3.6 billion is needed to adequately meet the needs of state and local election officials. Democrats and Republicans have butted heads over the funds, with Democrats including $3.6 billion for elections in the House-passed HEROES Act stimulus bill, while Republicans have not included any funds for elections in recent proposed stimulus bills, citing concerns around federalizing elections. 

“As election security experts have noted, additional funding is still needed, especially as resources are stretched to accommodate the shift in COVID-19-related voting,” Burt wrote. “We encourage Congress to move forward with additional funding to the states and provide them with what they need to protect the vote and ultimately our democracy.”

-Updated at 5:40 p.m.