Microsoft targets copycat influence websites

Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

malware detection (Alexander Yakimov/Shutterstock.com)

Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

The company's President Brad Smith announced Aug. 20 that Microsoft had won a court battle to take ownership of six website domains designed to "look like sites their targeted victims would expect to receive email from or visit." In this case, the targets were conservative think tanks and congressional Republicans, with URLs designed to mimic the International Republican Institute, the Hudson Institute and the U.S. Senate.

Microsoft claims the activity is linked to "Strontium" or Fancy Bear, an advanced persistent threat group associated with the Russian government, although the organization did not indicate what evidence it was relying on to make the assertion. There's no evidence, Smith said, the sites were able to successfully compromise any targets before Microsoft won control in court.

If left unchecked, the websites could have been used to spoof emails to members of Congress or staffers that would appear to be coming from legitimate domains to facilitate spearphishing campaigns and steal login credentials. Smith said that Microsoft has used a similar approach at least 12 times over the past two years to shut down 84 websites.

"In the face of this continuing activity, we must work on the assumption that these attacks will broaden further," wrote Smith. "An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector."

Microsoft has been trying to gain control of the sites for two years. In court documents, its lawyers filed a complaint on Aug. 13, 2016, alleging violations of the Computer Fraud and Abuse Act to harm Microsoft and its customers.

The complaint alleges that two unknown individuals led the effort "to direct attacks against targeted networks, to infect computing devices connected to those networks that permit Defendants to compromise the security and conduct reconnaissance of and move latterly through those networks, and to locate and exfiltrate sensitive information."

They also accuse the individuals of accessing the computers and networks of Microsoft customers, intercepting communications via Microsoft's Windows operating system, making unauthorized use of Microsoft trademarks, "trespassing" on the computer networks of Microsoft and its customers, intentionally interfering with Microsoft contracts and profiting unjustly from their unauthorized use and access.

Microsoft said it has notified all potentially affected parties and also indicated that it is working with U.S. Senate IT staff "following prior attacks we detected on the staffs of two current senators."

Thomas Rid, a Johns Hopkins professor, political scientist and cybersecurity expert, was one of the first people to forensically trace the 2016 DNC hack to Russia. He questioned whether the activities represented an attempt to influence the upcoming mid-term elections, rather than more routine intelligence gathering and wanted to see stronger evidence linking the hacking group to the websites.

"Microsoft's threat intel team know what they are doing," Rid tweeted. "So, no reason to doubt them. Still, it would be nice to have a little more detail on how they made the link."

The company's actions come less than a month after Facebook announced it had discovered similar coordinated activity across 32 pages, groups and accounts. Earlier this month, media reports identified two Democratic congressional campaigns that were also the subject of hacking campaigns.

Assessments by the U.S. intelligence community and the Senate have stated with high confidence that the Russian government used a far-reaching disinformation campaign to interfere with the 2016 presidential election and further that those campaigns were intended to help the candidacy of now-President Donald Trump.

The conservative think tanks targeted in the alleged campaign aren't closely aligned with President Trump on foreign policy, observers noted.

"Of note -- these conservative think-tanks cater to the old guard of Republican politics," wrote Crispin Burke, a U.S. Army aviator who writes a personal blog about national security and foreign policy issues. "The International Republican Institute, for instance, has members including noted Russia hawks like John McCain, Mitt Romney … and H.R. McMaster."