Microsoft has claimed it thwarted a Russian-backed phishing attack by seizing control of fake copies of right-leaning American think tanks' websites – including one led by a prominent Donald Trump critic.
A US court order authorised Microsoft to apprehend six domains that the Windows maker said were linked to the APT28 hacking crew, also known as Fancy Bear and Strontium, according to Redmond.
The Hudson Institute mainly focuses on American national security and foreign policy issues while the International Republican Institute promotes the foreign policy ideas of the US Republican Party, focusing on attitudes to America overseas.
"We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group," boasted Microsoft prez Brad Smith in a corporate blog post.
The six domains were:
The domain for the Hudson Institute is hudson.org, while the IRI resides online at iri.org. The similarities may have been enough to trick the unfamiliar into visiting these sites and entering login credentials or downloading malware.
"We currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains," Smith said.
Kremlin-backed APT28 doesn't even bother hiding its attacks, says Finnish secret policeREAD MORE
The IRI was headed up by American senator John McCain, one of president Donald Trump's more outspoken critics from within his own party. McCain, who was recently diagnosed with brain cancer, stepped down from the IRI leadership at the end of July and anointed Dan Sullivan as its new chairman. Like McCain, Sullivan is a critic of Trump.
"The Kremlin has particularly sought to discredit anti-Trump groups, including within the Republican party," opined Dan Arenson, an analyst from infosec firm Falanx Group.
Microsoft's blog post also revealed that two current American senators may have been targeted by online attackers, among others. "This pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."
Last year the Finnish secret police said that APT28 is no longer bothering to hide its attacks, something that its recent Italian job brought into sharp relief. Thought to be a unit of the GRU, the Russian intelligence agency, APT28 has long been a thorn in the side of the internet. ®