The alleged Russian-linked threat group known as APT28 has been blamed for more mischief in the United States, this time by setting up a number of web sites mimicking prominent American political organizations.
On Monday Microsoft president Brad Smith said the company has seized six fake domains, three of which have been pretending to be websites of the U.S. Senate; one pretending to be the International Republican Institute, which promotes democratic principles; one pretending to be the Hudson Institute, a notable think tank; and one that was pretending to be a Microsoft Office 365 site.
Last week, Microsoft’s Digital Crimes Unit got a court order to take over the sites.
The seized sites are my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.
The domains, Smith said, were “created by a group widely associated with the Russian government and known as Strontium, or alternatively Fancy Bear or APT28. We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group.”
One of them, according to the Hacker News, was earlier this year when it helped Washington to block Russian hacking attempts against at least three congressional candidates.
In December, 2016 the U.S. Department of Homeland Security and the FBI issued a joint analysis report identified ATP28 (and a group threat researchers call APT29) as backed by Russian civilian and military intelligence services. Last month Russian President Vladamir Putin said, “The Russian state has never interfered and is not going to interfere in internal American affairs, including the election process.”
Although Smith’s blog linked the discovery of the fake sites to foreign entities “launching cyber strikes to disrupt elections and sow discord” in recent elections in the U.S. and France, Microsoft admits it has no evidence those domains were used in any successful attacks, nor evidence of the ultimate targets of any planned attack involving these domains.
Still, it says Microsoft is worried “by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States.”
SecurityWeek.com quoted Sean Sullivan, security advisor at security vendor F-Secure, as cautioning that the fake domains may not necessarily be related to elections.
“Microsoft’s announcement is generating a lot of attention and the focus is overwhelmingly centered on the 2018 mid-term elections. But it’s important not to lose sight of the bigger issue,” he said. “The focus on think tanks holding pro-sanction views on Russia’s current regime is about espionage. In short: spies are going to spy. That’s true whether or not it’s an election year. There seems to be a rush to conclude that these six domains are part of an “attack” on the elections that risks missing the complete threat model – and therefore the complete countermeasures that should be taken.”
“It’s good to see cybersecurity professionals taking action against phishers,” said Terry Ray, CTO of security firm Imperva. “However, let’s not forget that its far easier to create a new domain than it is to get permission to take one offline, and with the vast number of available domains that can look like a political support organization, the hackers still have the advantage. Consider that Microsoft eliminated the my-iri.org domain, because it looks like a domain for the International Republican Institute, hackers can also, create iri-my.org, or my1-iri.org, or your-iri.org, etc. The number of options is only limited by the hackers imagination and takes minutes to create and use. On the defender’s side, finding, verifying and eliminating domains is a more tedious process which requires proof, documentation, multiple law enforcement agencies and most importantly, time. I applaud the efforts of Microsoft in this, but I look for businesses like theirs to better validate legitimate domains versus bogus in spam and other filters proactively for the consumer in the e-mail tools we all use in addition to the deletion of some domains.”