Microsoft says it has already uncovered evidence of Russian government-backed hacking gangs attempting to interfere in the 2018 US mid-term elections.
Speaking at an event in Aspen, Colorado, earlier this week, Microsoft vice president of security and trust Tom Burt revealed that the FancyBear hacking group has already begun setting up the infrastructure to perform targeted phishing attacks on multiple candidates.
In other words, the sort of mischief Moscow's intelligence agents got up to in 2016 to interfere with the US presidential election, allegedly.
"Earlier this year we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates that were all standing for election this year," Burt said.
"These are all people who, because of their positions, might be interesting targets from an espionage standpoint as well as an election disruption standpoint."
Burt declined to name the candidates being targeted, citing Microsoft's policy of preserving the anonymity of its clients. In the past, Fancy Bear largely focused its efforts on targeting computers belonging to the Democrats and Hillary Clinton's campaign, and leaking the Dems' internal emails in the hope of swinging the balance of Congress for the GOP, and the White House race for Donald Trump.
Redmond is a tool for Russia
Microsoft's services play a prominent role in Fancy Bear's meddling, Burt said. To help make its phishing pages more believable, the GRU-backed hacking crew often registers domains whose names resemble Microsoft services and then uses those to create fake login or download pages impersonating Redmond's own. These pages can trick victims into installing malware, or handing over the usernames and passwords for their email inboxes and other sensitive accounts. Additionally, the domains are used for the command and control servers for data-harvesting spyware.
Trump wants to work with Russia on infosec. Security experts: lol noREAD MORE
Because of that, Burt explained, Microsoft has made a habit of tracking the group, and using its legal team to have those domains seized and either shut down or handed over to Microsoft's security team, who then use them to gather information about the inner-workings of the operation.
Burt said that, after two years of tracking the gang, Microsoft has become efficient enough that a new domain can be challenged and seized in as little as 24 to 48 hours. "The goal here is to say stop using Microsoft domain names," Burt said. "If you keep using them, we are going to make it more costly for you."
This is also why securing your Microsoft Office 365 accounts with multi-factor authentication is crucial, to help thwart password phishing attempts.
Burt's comments also come as the US Department of Justice issued a report warning that attacks on the mid-term elections are all but assured. The report notes that the government has created a task force, including multiple agencies and states attorney generals, that will focus on detecting and prosecuting attempts to affect the outcome of the mid-term vote. ®