Election meddling has been a sore subject in the United States since 2016, with numerous accusations of foreign sources and the particular US sides they favor. According to a new report by Microsoft, the picture ahead of the 2020 election is a little more clear: pretty much all of America’s major rivals and enemies are looking to interfere, and they’re attacking both the Trump and Biden camps with great frequency.
Microsoft’s report is based on its findings from the security tools built into its various products, from Windows itself to various cloud services. It finds that while some nations are taking a particular interest in one candidate, others are seeking intelligence targets of opportunity wherever they might find them.
Hacker groups from “the usual suspects” are the most active
Microsoft warns that the results it has seen are consistent with an early August press release issued by the National Counterintelligence and Security Center (NCSC) that warned foreign states would attempt to sway US voters, sow discord and undermine faith in the electoral process. The warning named China, Russia and Iran as the leading threats in this regard.
The Microsoft report corroborates that this “unholy trinity” of foreign influences has been the most active in attempting to disrupt and exploit the 2020 election, targeting both the Trump and Biden camps heavily. China appears to prefer attacking the Biden camp, Iran has seemed to focus on Trump, and Russia is getting into just about everything it can.
Russian election hacking
Microsoft notes Russian hacker groups as the most broadly active, having attacked at least 200 organizations in recent months. These are a mix of elements of the Trump and Biden campaigns, various independent advocacy groups, and political consultants. The report claims that Strontium (also known as Fancy Bear), the Russian hackers previously tied to 2016 election interference by the Mueller report, seems to be leading these activities.
Strontium has been using a variety of means to harvest user credentials and gain access to accounts: spearphishing, password spray and brute force password cracking attempts primarily. These efforts are being directed against consultants for both the Trump and Biden campaigns, prominent advocacy and “think tank” organizations, and both the Democrat and Republican national and state-level election groups. It is also making attempts on the political parties of the UK and the European People’s Party.
The goal appears to be intelligence-gathering and disruption of both the Trump and Biden campaigns. The hacker groups have evolved their tactics since the similar 2016 campaign, using a rotation of over 1,000 IP addresses to facilitate its cracking attempts and anonymizing many through Tor. Microsoft estimates that the group adds and drops about 20 IP addresses per day to keep ahead of block lists.
Chinese election hacking
China’s hacker groups have been active against the Trump and Biden campaigns since March and have compromised at least 150 targets in that time.
The Chinese hackers appear to have a specific focus on high-profile figures in the Biden campaign and those that possess useful levels of access, though Microsoft reports it has made at least one attempt against a similar Trump staffer. The group is also targeting academics that specialize in international affairs with attacks on at least 15 universities and 18 policy organizations to date.
This group’s primary method of attack is to set up phony websites populated with content that would be of interest to these targets and email URLs to them. While the sites themselves are not necessarily malicious, the hacker groups take note of who opts to follow the links and focuses in on them with targeted attacks.
Iranian election hacking
Iran’s hacker groups, dubbed Phosphorous, have been tracked by Microsoft for several years as they have waged political espionage campaigns throughout the Middle East. The group is now bringing its experience to bear against the Trump and Biden campaigns by trying to crack the accounts of campaign staffers and administration officials. The group was particularly active in May and June, but Microsoft reports that it failed to successfully log into any of the accounts it tried to breach. Though it has made attempts against Trump staff, the US intelligence community believes Iran is attempting to sway the election in favor of Biden.
Risks and prevention
The Department of Homeland Security top cyber official Christopher Krebs confirmed the information in the Microsoft report and added that the hacker groups had not penetrated voting infrastructure or election systems.
Roger Grimes, Data Driven Defense Evangelist for KnowBe4, commented: “This is a great example of how sophisticated and proactive today’s vendors are. In this case, Microsoft proactively detected the attacks, identified the threats, and notified the potential victim companies so they could be more aware and prepare. Microsoft and other vendors, like Google, have been doing this for many years. A decade ago, this would have been something solely in the realm of a three-letter agency that noticed, likely accidentally while investigating some other victim, and got involved in. Today, it’s independent vendors who have the tools and telemetry to proactively warn their customers, big and small.”
However, while Microsoft has done a great deal of work the attack is far from over. The primary threat from the hacker groups appears to be to Trump and Biden administration and campaign staff, academics and those in the foreign policy space that have some connection to the election. Microsoft has encouraged the federal government to provide more funding to state and local election authorities to harden defenses, but at the moment high-risk prominent individuals should be expected to practice good security hygiene such as implementing unique passwords for each account, multi-factor authentication and not clicking through links sent in emails.