Security news that informs and inspires

Microsoft Targets Fancy Bear Hacking Group

With the mid-term elections just three months away and concerns about the security of campaigns and elections themselves at new heights, Microsoft is making several moves designed to disrupt foreign hacking operations and to help protect candidates and campaign offices in local, state, and federal elections.

On Monday, the company announced that it has taken over six domains known to be used by the Fancy Bear attack group, a team experts believe is tied to Russian intelligence. The domains mimic URLs used by some non-profit organizations and the Senate and could have been useful in spear phishing campaigns against specific people inside those organizations. Microsoft officials said they didn’t have any specific evidence that the domains had been used in successful phishing attacks yet, but the company now controls them after obtaining a court order that transferred control of the domains to Microsoft’s Digital Crimes Unit.

The move is part of a broader effort by Microsoft to help candidates and campaigns defend themselves against sophisticated hacking groups. The company has taken over dozens of domains associated with Fancy Bear’s activities in the last couple of years, and in April it established the Defending Democracy Program to help defend campaigns and candidates, elections and the electoral process, and identify and defend against disinformation campaigns. This week, Microsoft announced that it’s expanding the program with a group of features called AccountGuard.

“This initiative will provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack,” Microsoft President Brad Smith said.

Microsoft will provide the AccountGuard protections free to any campaigns or related political entities that use Office 365. The program will include ongoing security education and guidance, early access to new security features, and, most importantly, advanced threat intelligence across accounts.

“For political campaigns and other eligible organizations, when an attack is identified, this will provide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected, Microsoft will provide personal and expedited recommendations to campaigns and campaign staff to secure their systems,” Smith said.

“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials."

Fancy Bear, also known as APT 28 and a variety of other names, is one of the more notorious attack groups operating right now. The team has been associated with Russian intelligence agencies and is widely believed to have been involved in attacking campaigns and candidates in the months before the 2016 United States presidential election. Fancy Bear also has been implicated in interference with elections in other countries. Smith said that although Microsoft and other companies have had some success in tracking and disrupting operations from Fancy Bear and other associated teams, those groups have tremendous resources and are highly motivated to continue their activities.

“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France,” Smith said. Google officials on Monday also warned users that government-backed attackers are active all the time and don’t just target political candidates or campaign staff.

“Beyond phishing for the purposes of fraud, a small minority of users in all corners of the world are still targeted by sophisticated government-backed attackers. These attempts come from dozens of countries. Since 2012, we've shown prominent warnings within Gmail notifying users that they may be targets of these types of phishing attempts; we show thousands of these warnings every month, even if we have blocked the specific attempt,” Shane Huntley of Google’s threat analysis group said in a post.