Parts of an operation linked to Russian military intelligence targeting the US Senate and conservative think tanks were thwarted last week, Microsoft announced early Tuesday.
The company said it executed a court order giving it control of six websites created by a group known as Fancy Bear. The group was behind the 2016 hack of the Democratic National Committee and directed by the GRU, the Russian military intelligence unit, according to cybersecurity firms.
The websites could have been used to launch cyberattacks on candidates and other political groups ahead of November’s elections, the company said.
Among the websites a judge in the Eastern District of Virginia granted Microsoft control of were those with domain names designed to resemble sites used by congressional staff. They include “senate.group,” and “adfs-senate.email.”
Other domains were designed to look like they were related to the Hudson Institute, a conservative think tank, and the International Republican Institute, whose board includes six serving senators, former Massachusetts Gov. Mitt Romney and Gen. H.R. McMaster.
Microsoft said the domains were “associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28.” The company said it has no evidence that the domains were used in successful attacks but that it was working with the potential target organizations.
Microsoft argued in court that the domains were posing as some of its company’s services.
Hackers could have used the domains to send emails to Senate staffers or people working for the Hudson Institute or the International Republican Institute in an attempt to trick them into handing over information, like their passwords.
This form of attack, known as spearphishing, was successfully used to target Hillary Clinton’s campaign chairman John Podesta in 2016.
Missouri Democratic Sen. Claire McCaskill’s staff was similarly targeted by a Russian group last year. McCaskill says the attempt was unsuccessful.
“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit,” Microsoft President Brad Smith said in a blog posted to the company’s website on Monday night.
The news comes less than a week after it emerged that two Democratic congressional primary candidates were hacked earlier this year.
The campaigns of Dr. Hans Keirstead and David Min, both of whom lost in California’s June primaries, were breached, but the groups responsible for the attacks have not been made public and may not be known.
Microsoft said Monday that, in light of the ongoing threats to political groups in the US, it was launching a specialized cybersecurity protection service called AccountGuard.
The company says it will offer the service to all candidates and campaign officials, as well as think tanks and political organizations that use Microsoft Office 365, at no additional cost.
The initiative is part of Microsoft’s Defending Democracy Program, which it launched in April. The company said it plans to roll out AccountGuard in other parts of the world.