clock menu more-arrow no yes mobile

Filed under:

Microsoft says it stopped a Russian cyberattack on conservative think tanks

Russia also apparently went after the Senate and even Microsoft itself.

Microsoft headquarters
A sign at Microsoft headquarters. The company says it thwarted a Russian attempt to hack conservative think tanks, the Senate, and Microsoft itself.
Stephen Brashear/Getty Images

The elite Russian military intelligence unit that interfered in the 2016 US presidential election has been trying to hack its way deeper into America’s politics. But there’s good news: Microsoft thwarted the effort.

According to Microsoft president Brad Smith, Russian government hackers created six websites that purposely tried to mimic those of certain conservative US think tanks, the Senate, and even Microsoft itself. The goal was to trick people into clicking through those fake pages, thereby allowing the hackers to steal information from the visitors. Microsoft says it found those sites — created within the past few weeks — and seized them after obtaining a court order to do so, rendering the sites useless to the hackers.

The company crucially noted it has yet to see any evidence that the websites formed part of a successful attack, and it’s unclear if the Russian operatives sought information from specific people. However, it’s completely possible that the fake pages carried malware, thereby allowing the Russians access to the computers of unfortunate visitors.

But the identities of both the hunters and the prey here are important.

The hackers, collectively known as Fancy Bear or APT28, have ties to the GRU, Russia’s main military intelligence agency. In July, special counsel Robert Mueller indicted 12 of its members for stealing emails and documents from the Democratic National Committee, the Democratic Congressional Campaign Committee, and various Hillary Clinton campaign staffers, including campaign chair John Podesta.

In this latest attack, their targets included two right-leaning think tanks: the Hudson Institute and the International Republican Institute (IRI), which have strongly criticized Russia and sought greater sanctions on Moscow. The latter organization’s board contains some high-profile Republicans, including Sen. John McCain (AZ) and former Republican presidential nominee Mitt Romney.

“We have known that Russian actors have gone after think tanks before,” says Council on Foreign Relations cyber expert Adam Segal. What’s surprising though, is that conservatives — particularly those critical of Russia — are targets of Russian hacking, not simply those on the political left.

“The efforts of the Russian security services reflect a broader goal to skew the American political discourse in ways that are sympathetic to Moscow,” says Michael Sulmeyer, a former top cyber official at the Pentagon who’s now at Harvard University.

Russia, as usual, denies having anything to do with the hacking attempt. But the targets of the attack aren’t buying it.

“This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights,” Daniel Twining, IRI’s president, told the Washington Post. “It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime.”

How the Russians are interfering this time around

The hackers created six domain names to closely resemble those of the three sets of targets. As you can see below, they include the abbreviation for the International Republican Institute, the words “Hudson,” “senate,” and “onedrive,” a Microsoft product.

Domain names made by Fancy Bear hackers to resemble those of the Senate, conservative think tanks, and Microsoft.
Domain names made by Fancy Bear hackers to resemble those of the Senate, conservative think tanks, and Microsoft.
Screenshot from an August 20 blog post by Microsoft president Brad Smith

This tactic — making fake sites in the hope of obtaining information on visitors — is apparently something the Russian group does quite often. Microsoft says it has shut down 84 fake websites associated with this group of hackers in just two years.

It goes to show just how powerful private companies — not just the US government — can be in stopping cyberattacks by foreign adversaries. “I am not surprised Microsoft has this type of capability,” says Steve Luczynski, a former military officer and cyber policy adviser at the Pentagon, adding that Microsoft now seems “more comfortable talking about it publicly.”

But making fake websites isn’t the only way Russia has tried to gain greater access inside America’s sprawling political machinery ahead of the 2018 midterm elections.

Moscow has already penetrated some of Florida’s county voting systems and sent malicious emails to an aide for Missouri Democratic Sen. Claire McCaskill, one of the most vulnerable Senate Democrats up for reelection this year. Both of those states feature closely contested races that could oust Democratic senators from office.

The question, then, is what Fancy Bear wanted to get from its ruined attempt. “Is this the kind of activity they’re using for intelligence gathering or a way to gather information to weaponize later?” muses Chris Painter, the State Department’s top cyber diplomat from 2011 to mid-2017. “It’s not clear what the intent of this is.”

That’s scary: We know what the Russians did, but not why — and it’s unclear if we’ll know that answer before it’s too late.

Sign up for the newsletter Sign up for Vox Recommends

Get curated picks of the best Vox journalism to read, watch, and listen to every week, from our editors.