Russian hackers who weighed in on the 2016 US presidential election have not put away their keyboards. On the contrary: according to Microsoft, in recent weeks they have targeted individuals and organizations revolving around the November 3 election. They are not the only ones, since according to the company’s analysts, pirates of Chinese and Iranian origins have also launched offensives linked to the ballot.
“This activity that we are revealing today clearly shows that foreign groups have stepped up their efforts to target the 2020 election, as anticipated and in accordance with what the US government, in particular, has reported.”, writes Tom Burst, vice president of Microsoft, on the company’s website.
Page Contents
The return of “Fancy Bear”
The Russian hacker team that Microsoft calls “Strontium”, dubbed by other companies “APT28” or “Fancy Bear”, and which investigations by the American justice and Parliament believe to be an emanation of Russian military intelligence (GRU) , had already played a leading role four years ago. She had hacked into the email accounts of individuals close to Hillary Clinton’s campaign and the Democratic Party. The documents resulting from this hack were then published by WikiLeaks and widely reported by the American media.
In 2020, consultants working with Republicans and Democrats, think tanks, political parties in the United States and the United Kingdom as well as the European People’s Party, which brings together the formations of the right and the center in the European Parliament, are among the targets of these hackers. In particular, APT28 allegedly targeted a consulting firm working with Joe Biden’s campaign team, Reuters reported shortly before Microsoft’s announcement.
Politics, however, is only one aspect of APT28’s activity that Microsoft reveals today. Thus, according to the latter, tens of thousands of email accounts belonging to 200 organizations were targeted between September 2019 and June 2020. The techniques of this group of hackers, known and followed for several years by a number of specialized companies, are more advanced than in 2016: according to Microsoft, today they know better how to hide their tracks and are more difficult to track.
Attempts from Iran and China
Other groups have taken a keen interest in the US election. This is the case with the one Microsoft nicknamed “Zirconium”. Followed by the cybersecurity industry for several years and whose proximity to Chinese intelligence is consensus, it is rather known for industrial espionage operations. The latter, according to Microsoft, attacked “Leading individuals”, including members of Joe Biden’s campaign, a former close to the Trump administration, and some 30 universities and think tanks, mostly in the sphere of international relations. Microsoft’s accusations are “Invented from scratch”Zhao Lijian, a spokesperson for the Chinese foreign ministry, reacted on Friday, denying any will to interfere.
A third group, which Microsoft calls “Phosphorus”, seems to revolve around the 2020 election. Well known to cybersecurity experts, it is considered to emanate from the Iranian intelligence services and was concentrated, until the end of the year last, on targets linked directly or indirectly to Saudi Arabia and more broadly to the Middle East. Since the end of 2019, he seems to have the American elections in his sights. It was during this period that Microsoft took control, through a court ruling, of several websites used as infrastructure to launch attacks. According to the company, Phosphorus targeted, between May and June 2020, the mailboxes of members of the administration and the campaign team of Donald Trump.
The involvement of these two groups, Chinese and Iranian, in espionage maneuvers against the US presidential election had already been made public, albeit discreetly, in June, by the head of Google’s team specializing in tracking down high-level hackers.
Espionage or future interference?
It is not surprising that Microsoft is lifting the veil on certain spy operations in this way. With its operating system – Windows, present on tens of millions of computers around the world – and its messaging in the “cloud”, the Redmond company is at the forefront of digital intelligence operations.
Failed attempts or simple reconnaissance maneuvers, these offensives in any case do not seem to have caused the siphoning of documents, even if Microsoft is cautious on this point. “The majority of these attacks were detected and stopped by the security tools integrated into our products”, writes the company. These attacks also did not target the infrastructure used during the election for voter registration or vote counting.
Offensives such as those pointed out by Microsoft, when they are successful, are not necessarily accompanied by meddling maneuvers as in 2016. Members of political campaign staffs are frequent targets of spies, whether they are be computerized or not. In 2008, Chinese hackers targeted both camps, that of John McCain and that of Barack Obama, without these offensives being accompanied by leaks of documents. It is for example probable that the Chinese intelligence apparatus wishes to understand the positions of those close to Joe Biden in the event that the latter replaces Donald Trump in the White House next January.
Sanctions with limited effects
These elements made public by Microsoft partly corroborate the position of the American intelligence services for which these three countries and their hackers are the most active vis-à-vis the US presidential election in November. This new information will however be more difficult to digest for the Trump administration, which has continued to downplay Russian interference attempts since 2016 and for whom China, more threatening than Russia, has decided to favor Joe Biden. All the more so as they emerge the day after a complaint from a US intelligence executive who accuses his hierarchy of having ordered him to ignore certain information accrediting Russian interference attempts so as not to offend Donald Trump.
At the same time, the US Treasury Department sanctioned three Russian nationals, citing their efforts to interfere in the US election. He accuses them of being involved in cryptocurrency transactions for the benefit of the Internet Research Agency, the Russian office in charge of propaganda on social networks, very active in 2016. Also targeted by sanctions, Andreï Derkach, a deputy qualified Ukrainian “Russian agent”, very active to attack Joe Biden with Rudy Giuliani, unconditional support of Donald Trump and to whom he is very close. Andreï Derkach denied any attempt to interfere and spoke of a “Revenge” of “The deep state”.
The continued activity of Russian military intelligence hackers also suggests that the numerous retaliatory measures taken by the United States after the 2016 election – financial sanctions, legal indictments, cyber attacks – have had a very limited effect. . Enough to fear hectic weeks between now and November 3.
