A new report from Microsoft shines a spotlight on powerful cyberattack campaigns which are currently targeting the US election.
The upcoming US presidential election was expected to be a prime candidate for interference. However, Microsoft notes that foreign activity groups have “stepped up their efforts” for this election.
Microsoft has discovered three key campaigns operating from three countries often linked with cyberattacks:
- Strontium (Russian) – Microsoft says this group has attacked more than 200 organisations, including political campaigns, advocacy groups, parties, and political consultants.
- Zirconium (Chinese) – This group has attacked high-profile individuals. This includes people associated with the Joe Biden for President campaign, and prominent leaders in the international affairs community.
- Phosphorus (Iranian) – This Iranian group has focused on attacks targeting the personal accounts of people associated with the Donald J. Trump for President campaign.
Microsoft is on the frontline against cyberattack efforts due to its widely-used products. The firm says the majority of these attacks were detected and stopped by Microsoft’s security tools. Any targeted or compromised individuals were notified to protect themselves against further attacks.
Strontium is the same group that was affiliated with attacks on the 2016 Democratic presidential campaign and was highlighted in the Mueller report. Microsoft claims, as in 2016, Strontium is aiming to harvest login details to aid in intelligence gathering or disruption operations.
During the UK elections, a key and divisive moment was a surprise leaked document pulled out by former opposition leader Jeremy Corbyn of early UK-US trade talks which he claimed proved the NHS was at threat. Corbyn, who has often been criticised for taking a soft stance on Russia amid events such as the Salisbury poisonings, refused to disclose where the documents were obtained. A 19-page report published by Graphika said the leak closely resembles techniques used by Secondary Infektion, a known Russian operation.
Microsoft has found that Strontium has evolved since the 2016 US elections “to include new reconnaissance tools and new techniques to obfuscate their operations”. Strontium is now using brute force and password spray tactics, in addition to disguising them using over 1,000 rotating IP addresses (most of which are Tor anonymised.)
Zirconium, the group originating from China, has been linked by Microsoft to around 150 compromises between March and September 2020.
The group targets predominantly either people close to US presidential campaigns and candidates, or individuals within the international affairs community.
Microsoft says Zirconium typically uses domains populated with content which, after the victim visits, allows the attackers to determine whether the targeted account is active and therefore worth pursuing further.
Iranian group Phosphorous has a direct history with Microsoft after the US tech giant took legal action against its infrastructure. Microsoft launched the action after discovering the group’s efforts late last year to target a US presidential campaign.
Last month, Microsoft was given further permission by a federal court in Washington to take control of 25 of Phosphorous’ domains. To date, Microsoft has taken control of 155 domains linked to the group.
Evolving campaigns
Away from the US elections and Microsoft’s report, Russia’s infamous troll farms have turned their attention to using the COVID-19 pandemic to cause division and sow disorder.
Lea Gabrielle, coordinator of the Global Engagement Center, recently said the “entire ecosystem of Russian disinformation is at play” and that Russia is aiming to “take advantage of a health crisis, where people are terrified worldwide, to try to advance their priorities.”
Social media posts linked to Russian disinformation campaigns have spread COVID-19 conspiracy theories like 5G causes the virus, or that it was a US bioweapon against China (a reminder that, in the 80s, the Soviet KGB successfully spread the story that AIDS was a CIA-created biological weapon.)
One publisher, Natural News, was behind the viral “plandemic” video and was found to be pushing content from troll farms claiming the virus is part of an elaborate scheme to control populations through vaccines. Natural News also spread the debunked claims that wearing a mask increases the risk of catching the coronavirus, as well as that they cause brain damage due to reducing oxygen.
The COVID-19 disinformation campaign is an example of how they’ve evolved over the years.
Earlier campaigns focused on creating entirely false stories and using alleged images to appear more convincing. One example was the fictional Ebola crisis in Atlanta in 2016. However, evidence suggests they weren’t very effective.
Newer campaigns harness people’s existing fears around things like vaccinations, immigration, and climate change. Tailoring specifically to people across the political spectrum, these campaigns are far more effective by telling people what they want to hear which means that they have a better chance at being reshared to spread further.
In the case of COVID-19, such campaigns tailor to the right by saying it’s an attempt to take away their freedoms and blame China. For the left, they focus on spreading the idea that their government’s actions are immoral.
All of the aforementioned tactics help to serve the perpetrators’ intended goals of causing division and disorder in Western democracies.
Interested in hearing industry leaders discuss subjects like this? Attend the co-located 5G Expo, IoT Tech Expo, Blockchain Expo, AI & Big Data Expo, and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam.
