Cyber warfare

Chinese, Iranian, and Russian APT groups target 2020 US election

Microsoft reveals that state-sponsored hackers had tried to breach email accounts belonging to people involved in the US election.

Microsoft announced to have detected a new wave of attacks carried out by Chinese, Iranian, and Russian state-sponsored hackers against the US election. Threat actors had tried to compromise email accounts belonging to people associated with the Biden and Trump election campaigns.

The company attributed the attacks against the APT groups tracked as Strontium (Russia), Zirconium (China), and Phosphorus (Iran).

Microsoft added that the “majority of these attacks” were detected and blocked.

“In recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns.” reads the post published by Tom Burt – Corporate Vice President, Customer Security & Trust at Microsoft.

The post published by Microsoft confirms the information shared this summer by the U.S. National Counterintelligence and Security Center.

In August, the Director of the U.S. National Counterintelligence and Security Center (NCSC) William Evanina shared information on ongoing operations aimed at influencing the 2020 US election.

“Many foreign actors have a preference for who wins the election, which they express through a range of overt and private statements; covert influence efforts are rarer. We are primarily concerned about the ongoing and potential activity by China, Russia, and Iran” reads the press release published by the Office of the Director of the National Intelligence.

Evanina linked the efforts to Russia, China, and Iran, he explained, for example, that Russian actors are supporting President Trump’s candidacy with a coordinated effort on both Russian television and media.

According to Microsoft, Strontium APT has targeted more than 200 organizations including political campaigns, advocacy groups, parties and political consultants. The list of targets includes:

  • U.S.-based consultants serving Republicans and Democrats;
  • Think tanks such as The German Marshall Fund of the United States and advocacy organizations;
  • National and state party organizations in the U.S.; and
  • The European People’s Party and political parties in the UK.

In recent months, the group carried out brute force attacks and password spray, instead of spear-phishing, likely to automate their operations.

“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.” states the post.

Zirconium hackers were involved in attacks against high-profile individuals associated with the US election. The threat actors targeted people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community.

Microsoft detected thousands of attacks attributed to this group between March 2020 and September 2020, in this period the Chinese hackers gained access to almost 150 accounts. The attacks aimed at:

  • People closely associated with US presidential campaigns and candidates.
  • Prominent individuals in the international affairs community, academics in international affairs.

Phosphorus targeted the personal accounts of people associated with the Donald J. Trump for President campaign.

The attacks of the group are part of a hacking campaign that started in 2019. In October, Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35Charming KittenNewscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals involved in a 2020 US presidential campaign.

Now Microsoft confirms that the Iran-linked hackers targeted the Trump campaign and shared details on new activity related to the group.

“Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff,” Burt says.

In March 2019, Microsoft announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

“We disclose attacks like these because we believe it’s important the world knows about threats to democratic processes. It is critical that everyone involved in democratic processes around the world, both directly or indirectly, be aware of these threats and take steps to protect themselves in both their personal and professional capacities.” concludes the post.”We report on nation-state activity to our customers and more broadly when material to the public, regardless of the actor’s nation-state affiliation. We are taking extra steps to protect customers involved in elections, government and policymaking. We’ll continue to disclose additional significant activity in our efforts to defend democracy.”

Below my interview at TRT international on the topic. Please like it 😉

Microsoft: Russian, Chinese, Iranian hackers target #US #election

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, US Election)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

1 hour ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

15 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

22 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.