Microsoft has notified nearly 10,000 users—from political parties, campaigns, and democracy-focused non-governmental organizations—they were targeted or compromised by state-backed actors in the past year.
"[A] spike in attacks on NGOs and think tanks that work closely with candidates and political parties, or work on issues central to their campaigns serve[s] as a precursor to direct attacks on campaigns and election systems,” said Tom Burt, corporate vice president of Microsoft’s Customer Security and Trust unit.
There has been a lot of discussion about protecting voting systems so that ballots can’t be changed or manipulated over the past two years, but the attacks Microsoft warned about are not related to the voting process. It is increasingly becoming clear that attacks to disrupt votes starts long before the voter steps up to the voting machine. The goals take many forms, including stealing information from campaigns, disseminating disinformation campaigns, or collecting intelligence from think-tanks influencing policy. Microsoft said it expects attacks against think-tanks and candidates to ramp up ahead of the next United States presidential election in 2020.
“This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics or achieve other objectives,” Burt said.
Microsoft said 84 percent of these attacks targeted enterprise customers, and the remaining 16 percent affected consumer personal email accounts. Microsoft also issued 781 notifications to users of its free AccountGuard service, which provides notifications about attacks against official email systems run by the organizations as well as the personal accounts for the people in those organizations.
As always, whenever there is a question of state-sponsored activity, the question organizations need to ask is whether they have something of interest to the attackers. It’s not about size—”I am just one person/small company, why would anyone target me?”—but more about having valuable information, such as profile information on powerful or influential individuals or access to a valuable system or application. Democracy-focused organizations, such as political action committees, and groups focused on polling, activism, local organizing, and providing information about different candidates and ballot initiatives, all play an important role and are of interest to state-sponsored actors focused on influencing elections. These organizations are not well-equipped to deal with state-sponsored attacks.
“By nature, these organizations are critical to society but have fewer resources to protect against cyberattacks than large enterprises,” said Burt.
The majority of the attacks originated from Iran, North Korea, and Russia. Microsoft linked the attacks to well-known attack groups, including Strontium (APT28, Fancy Bear), Holmium, Mercury, and Tallium. Strontium has been associated with the attacks against the Democratic National Committee and Holmium is the group backed by Iran believed to have used the Shamoon wiper malware in attacks against Saudi transport operators. Strontium is also believed to have been involved in attacks against European organizations investigating Russia’s use of chemical weapons.
Last year, Microsoft disrupted a group believed to be backed by Russia to spoof internet domains associated with the United States Senate and two other non-profit organizations. In February, Microsoft flagged attacks against European think-tanks, NGOs, and democrartic institutions. The attacks, which targeted 104 employee accounts in Belgium, France, Germany, Poland, Romania, and Serbia, are believed to have been tied to Europe’s May elections.
It’s not just Microsoft notifying users, either. Google recently notified Hong Kong activist Joshua Wong, one of the several student leaders participating in the Hong Kong protests, of government-backed attackers (not specified which government) may have been trying to steal his Gmail password and access his data.
Microsoft’s Defending Democracy Program, which includes AccountGuard for Office 365 users and Microsoft 365 for Campaigns, is one of the many free or low-cost tools and services unveiled by technology companies and academics over the past two years to political campaigns and other related groups to help protect them from attacks. Clouflare’s Athenian Project offers free distributed denial-of-service protection and other security services such as turning on HTTPS and protection from website defacement, to state and local government websites dealing with elections. Alphabet’s Jigsaw runs Project Shield, which provides DDoS-protection tools to political organizations such as campaigns and PACs. Jigsaw’s Perspective tool helps online moderators identify abusive or toxic comments on political forums. Facebook monitors campaign accounts for attacks and helps review affiliated accounts for similar activity. Microsoft said it is working with academic institutions such as the Harvard Kennedy School of Government’s Belfer Center, Columbia World Projects at Columbia University, Princeton University, and the Oxford Internet Institute’s Computational Propaganda Project.