State-sponsored hackers have been in action again, trying to probe the Trump and Biden campaigns for information ahead of the US Presidential election in November, according to Microsoft.
The tech giant’s corporate vice-president for customer security and trust, Tom Burt, revealed that it had detected activity from prolific Iranian, Russian and Chinese groups.
Worryingly, he said that only “the majority” of attacks were “detected and stopped by security tools built into our products.”
Of most concern will be the return of the notorious APT28 (aka fancy Bear, Strontium) which previously hacked and released damaging emails from Democratic Party officials ahead of the 2016 election.
The group has targeted not only Republican and Democrat consultants but think tanks, national and state party organizations in the US, and European and UK political parties. In total, over 200 organizations have apparently been attacked.
Burt said APT28 is augmenting its typical spear-phishing attacks with new tactics.
“In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations,” he added.
“Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.”
Not to be outdone, China’s APT31 (aka Zirconium) has also been in action targeting the Biden and Trump campaigns, as well as noted figures in international affairs and academia. Microsoft said it has seen thousands of attacks between March and September, resulting in nearly 150 compromises. The activity was also spotted by Google back in June.
“Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account,” explained Burt.
“Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
Finally, Iran’s APT35 (aka Charming Kitten, Phosphorous) has been unsuccessfully attempting to access the email accounts of Trump campaign staff, said Burt.
The news comes as a new book by noted journalist Bob Woodward has made some shocking new allegations about Trump’s handling of the COVID-19 crisis and attempts by political appointees to influence intelligence reports.
It claims the President knew about and deliberately played down the seriousness of the virus, and that staffers tried to manipulate intelligence reports to play down the intelligence threat from Russia and homegrown white supremacists and hype the threat from China.