The Russian military intelligence hackers known as Fancy Bear or APT28 wreaked havoc on the 2016 election, breaking into the Democratic National Committee and Hillary Clinton’s campaign to publicly leak their secrets. Ever since, the cybersecurity community has been waiting for the day they would return to sow more chaos. Just in time for the 2020 election, that day has come. According to Microsoft, Fancy Bear has been ramping up its election-targeted attacks for the past full year.
On Thursday, Microsoft published a blog post revealing that it has seen Russia’s Fancy Bear hackers, which Microsoft calls Strontium, targeting more than 200 organizations since September 2019. The targets include many election-adjacent organizations, according to researchers at Microsoft’s Threat Intelligence Center, including political campaigns, advocacy groups, think tanks, political parties, and political consultants serving both Republicans and Democrats. Microsoft named the German Marshall Fund of the United States and the European People’s Party as two of the hackers’ targets. The company otherwise declined to publicly name victims or say how many of the attempted intrusions had been successful, though it said that its security measures had prevented the majority of attacks.
“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated,” Microsoft’s blog post reads. “Microsoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence.”
Reuters reported earlier today that SKDKnickerbocker, a campaign strategy and communications firm working with presidential candidate Joseph Biden and other prominent Democrats, had received a warning from Microsoft that it had been unsuccessfully targeted by Russian hackers, without naming Fancy Bear. WIRED reported in July that Fancy Bear had targeted US government agencies, education institutions, and the energy sector, but without any clear intent to affect the 2020 election.
Microsoft’s blog post also details politically focused hacking campaigns by a Chinese group known as Zirconium or APT31, as well as an Iranian group known as Phosphorous or APT35. The Chinese campaign’s attacks have included 150 successful breaches of organizations in the last six months, Microsoft’s researchers say. They note that the hackers have attempted to target the Biden campaign—apparently without success—as well as “one individual formerly associated with the Trump administration.” APT31 has also hit more run-of-the-mill espionage targets, including academics at 15 universities and staff accounts at 18 think tanks, including the Atlantic Council and the Stimson Center.
The Iranian campaign, according to Microsoft, has attempted to gain access to multiple accounts of people involved in the 2020 presidential election, as well as multiple members of Trump’s administration and campaign staff in May and June of this year. Those Trump-targeted intrusions were unsuccessful, Microsoft adds.
But it’s Russia’s latest attacks that are the most troubling, according to threat intelligence firm FireEye. That’s because, unlike Iran or China, the Russian military intelligence agency known as the GRU—and specifically the GRU team known as Fancy Bear, believed to be GRU Unit 26165—has a history of going beyond traditional spying to carry out political hack-and-leak operations like the ones it performed ahead of the 2016 US presidential election and the 2017 French presidential election.
“We remain most concerned by Russian military intelligence, who we believe poses the greatest threat to the democratic process,” reads a note FireEye sent to its customers warning about the politically focused hacking campaigns, referring to the group by the name APT28. “The targeting of political organizations is a common feature of cyber espionage. Parties and campaigns are good sources of intelligence on future policy, and it’s likely Iranian and Chinese actors targeted US campaigns to quietly collect intelligence, but APT28’s unique history raises the prospect of follow-on information operations or other devastating activity.”