1 Iranian attacks2 Chinese attacks
In a post, Microsoft says the breach attempts were targeting emails accounts of those close to the campaigns. Microsoft points out most attacks were prevented. Tom Burt, Corporate Vice president for Customer Security & Trust for Microsoft says some attacks may have been gone undetected. Russian hackers seem to come from a group known as Strontium, also known as Fancy Bear or APT28. Microsoft says the team of hackers have been extremely active over the last year. Specifically, they have instigated attacks against 200 organizations since September 2019. Some of those targets include:
“U.S.-based consultants serving Republicans and Democrats; Think tanks such as The German Marshall Fund of the United States and advocacy organizations; National and state party organizations in the U.S.; and The European People’s Party and political parties in the UK”
Strontium’s methods include spear-phishing email campaigns, brute-force attacks, and password spraying. Microsoft points out the group’s attacks are usually simple to detect but are getting more sneaky: “Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”
Iranian attacks
Iranian-backed hackers come from the Phosphorus group. Microsoft has been tracking the group’s attacks since last year and has previous warned the 2020 elections are a target. Redmond now says the Trump campaign is a target in recent attacks. “Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff,” Burt adds.
Chinese attacks
Hackers working for the Chinese government have also been in action. Microsoft says Zirconium is leading a deluge of groups being employed to target US elections. The company says thousands of attacks have come from the group since March this year: “Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”