Updated at 11:44 a.m. ET
A familiar cyberattack suspect linked with the Russian intelligence service has resurfaced in the months leading up to the U.S. midterm elections, according to Microsoft. The tech giant announced overnight that last week it executed a court order to disrupt six fraudulent websites set up by a hacker group known by many names — most often APT28, but also Fancy Bear or Strontium, among others.
The unit has been associated with the Russian spy agency GRU and blamed for a raft of high-profile hacks across the world in recent years — including the breaches of the Democratic National Committee's network during the 2016 presidential election.
In this case, Microsoft says the group established a half-dozen domains meant to be confused with two conservative groups, the U.S. Senate and even Microsoft's own suite of products. Two of those targets, the nonprofit International Republican Institute and the Hudson Institute research center, have criticized the Kremlin.
Microsoft says the International Republican Institute and the Hudson Institute were targeted with my-iri.org and hudsonorg-my-sharepoint.com, and that three domains — senate.group, adfs-senate.services and adfs-senate.email — mimicked the Senate. Microsoft itself appears to have been the focus of office365-onedrive.com.
Microsoft notes that it has "no evidence" to indicate the domains were used in any successful attacks, or to conclusively determine their ultimate object.
"In this particular instance we believe we were able to act quickly enough that these specific sites were not used successfully," Brad Smith, Microsoft's president and chief legal officer, tells NPR. He adds that the latest activity "clearly suggests" that the hacker group is focusing on conservative organizations.
Elizabeth Dwoskin of The Washington Post explains why the starkly similar domain names are significant — and why Microsoft has a vested interest in shutting them down.
"Remember, Microsoft is managing one of the largest corporate email programs in the world," she tells NPR. "When you open up your email and you click on a link — you think it's an email from a trusted person, and then you're taken to a website that is loaded up with malware and it's going to take your credentials."
The hackers sent emails to board members or think tank employees that notified them of a problem with their email account and directed them to bogus websites, according to Smith.
"When they get to this site they see, typically, a page that looks just like a page of their employer, where they work, they're asked to enter their password and then their credentials are harvested, so to speak," he says.
Microsoft says that "these domains show a broadening of entities targeted by Strontium's activities" — and adds that the attacks are neither the first nor likely to be the last to be launched by the hacking group. The company says that in just the past two years, it has shut down 84 such fake websites.
"Despite last week's steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States," Microsoft says. "Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."
That's a sentiment echoed by one of the most recent apparent targets, the IRI, which is chaired by sitting U.S. Sen. Dan Sullivan, R-Alaska.
"This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights," the group's president, Daniel Twining, tells The Washington Post. "It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin's authoritarian regime."
The Kremlin has denied the allegations, according to the Russian news agency Interfax. It cites an unnamed diplomatic source who reportedly dismissed the claims as Microsoft simply "playing political games": "The elections have not happened yet," the diplomat says, "but there are already allegations."
The U.S. intelligence community has concluded that Russian interference in the 2016 election was aimed at boosting Donald Trump's bid for the presidency. Just last month the Justice Department charged 12 Russian intelligence officers, members of the GRU, with leveling a massive cyberattack against Democratic Party targets during the 2016 campaign, including the hack of the DNC's network.
President Trump, for his part, has offered shifting accounts of how he views the Russian activity, at times downplaying these cyberattacks and the prospect of their recurrence, while at others pledging to "counteract it very strongly." Occasionally those shifts have come within a matter of hours.
"We are not yet seeing the kind of electoral interference in specific states and voter databases that we experienced in 2016," Director of National Intelligence Dan Coats said last month. "However, we fully realize that we are just one click of the keyboard away from a similar situation repeating itself."
As for Microsoft, it announced that means developing new initiatives and new partnerships to prevent the kinds of attacks seen in 2016 from resurfacing. The company used its blog post announcing last week's court-ordered maneuver to introduce a new program called AccountGuard, which it says will provide "cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack."
Smith says Russian cyberattacks in 2016 "have been even broader than we first thought. That's across the tech sector, that's across this country."
"And if you're going to stand up successfully and defend a democracy against these kinds of foreign attacks, we need to bring people together. And we can only bring people together if everyone is in the know about what's going on."