Chinese, Iranian, and Russian APT groups target 2020 US election

Pierluigi Paganini September 11, 2020

Microsoft reveals that state-sponsored hackers had tried to breach email accounts belonging to people involved in the US election.

Microsoft announced to have detected a new wave of attacks carried out by Chinese, Iranian, and Russian state-sponsored hackers against the US election. Threat actors had tried to compromise email accounts belonging to people associated with the Biden and Trump election campaigns.

The company attributed the attacks against the APT groups tracked as Strontium (Russia), Zirconium (China), and Phosphorus (Iran).

Microsoft added that the “majority of these attacks” were detected and blocked.

“In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns.” reads the post published by Tom Burt – Corporate Vice President, Customer Security & Trust at Microsoft.

The post published by Microsoft confirms the information shared this summer by the U.S. National Counterintelligence and Security Center.

In August, the Director of the U.S. National Counterintelligence and Security Center (NCSC) William Evanina shared information on ongoing operations aimed at influencing the 2020 US election.

“Many foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer. We are primarily concerned about the ongoing and potential activity by China, Russia, and Iran” reads the press release published by the Office of the Director of the National Intelligence.

Evanina linked the efforts to Russia, China, and Iran, he explained, for example, that Russian actors are supporting President Trump’s candidacy with a coordinated effort on both Russian television and media.

According to Microsoft, Strontium APT has targeted more than 200 organizations including political campaigns, advocacy groups, parties and political consultants. The list of targets includes:

  • U.S.-based consultants serving Republicans and Democrats;
  • Think tanks such as The German Marshall Fund of the United States and advocacy organizations;
  • National and state party organizations in the U.S.; and
  • The European People’s Party and political parties in the UK.

In recent months, the group carried out brute force attacks and password spray, instead of spear-phishing, likely to automate their operations.

“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.” states the post.

Zirconium hackers were involved in attacks against high-profile individuals associated with the US election. The threat actors targeted people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community.

Microsoft detected thousands of attacks attributed to this group between March 2020 and September 2020, in this period the Chinese hackers gained access to almost 150 accounts. The attacks aimed at:

  • People closely associated with US presidential campaigns and candidates.
  • Prominent individuals in the international affairs community, academics in international affairs.

Phosphorus targeted the personal accounts of people associated with the Donald J. Trump for President campaign.

The attacks of the group are part of a hacking campaign that started in 2019. In October, Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals involved in a 2020 US presidential campaign.

Now Microsoft confirms that the Iran-linked hackers targeted the Trump campaign and shared details on new activity related to the group.

“Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff,” Burt says.

In March 2019, Microsoft announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

“We disclose attacks like these because we believe it’s important the world knows about threats to democratic processes. It is critical that everyone involved in democratic processes around the world, both directly or indirectly, be aware of these threats and take steps to protect themselves in both their personal and professional capacities.” concludes the post.”We report on nation-state activity to our customers and more broadly when material to the public, regardless of the actor’s nation-state affiliation. We are taking extra steps to protect customers involved in elections, government and policymaking. We’ll continue to disclose additional significant activity in our efforts to defend democracy.”

Below my interview at TRT international on the topic. Please like it 😉

Microsoft: Russian, Chinese, Iranian hackers target #US #election

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, US Election)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment