Democracy 'Under Attack' as Russian Hackers Target Conservative Groups

Hackers with links to Russian military intelligence continue to conduct covert cyberattacks on U.S. targets, recently going after conservative think tanks that have split with the policies of President Donald Trump, Microsoft said in a new report released Tuesday.

Microsoft said it had gleaned new insights from six internet domains seized from the unit widely known as APT28, or Fancy Bear, which worked to sway the 2016 presidential election.

New evidence suggested that the group—known to Microsoft as Strontium—was posing as at least two conservative think tanks that had criticized Russia. These included the International Republican Institute and the Hudson Institute. The hackers' aim, much like in 2016's presidential election meddling, would have been to steal passwords and private data.

The internet domains, which also imitated the U.S. Senate, indicated that the hacking group's targets had broadened, Microsoft President Brad Smith wrote in a blog post Monday. He noted the culprits were "likely to continue" clandestine operations as the November midterm elections approached. "It's clear that democracies around the world are under attack," Smith stated.

Trump and Putin
U.S. President Donald Trump and Russian President Vladimir Putin arrive for a meeting in Helsinki, Finland, on July 16. Hackers with links to Russian military intelligence continue to conduct covert cyberattacks on U.S. targets. BRENDAN SMIALOWSKI/AFP/Getty Images

Microsoft said it had "no evidence" to suggest the domains were used in successful cyberattacks but was nevertheless concerned by activity against elected officials and think tanks.

The firm said it had notified the targeted organizations and had worked with Senate staff for months to bulk up cybersecurity and monitor potential threats. The International Republican Institute and the Hudson Institute did not immediately respond to requests for comment.

"We can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls untainted by foreign cyberattacks," Smith wrote in the Microsoft blog post. The technology company, which is working within the U.S. court system to seize domains linked to the hackers, said it had shut down a total of 84 fake websites associated with the group.

One of the seized domains was caught posing as Microsoft's OneDrive service.

As noted by The New York Times, board members of the International Republican Institute had criticized Trump's meetings with his Russian counterpart, Vladimir Putin. The Hudson Institute, meanwhile, had pushed out an analysis of government abuse of power, including within Russia.

According to the Times, the groups argued for continued sanctions against Moscow. The hackers' websites typically mirror legitimate versions but pilfer any user details entered.

Russia denied links to the hacking unit, which has conducted cyber-espionage for years.

As reported by Reuters, Kremlin spokesman Dmitry Peskov told reporters during a press conference Tuesday: "Who exactly are they talking about? We don't understand what the proof and the basis is for them drawing these kind of conclusions. Such information is lacking."

Russian President Vladimir Putin
Russian President Vladimir Putin attends a joint news conference with Japanese Prime Minister Shinzo Abe following their meeting at the Kremlin in Moscow on May 26. GRIGORY DUKOR/AFP/Getty Images

U.S. intelligence had said the hacking group was working to sow political division in America. In 2016, an unprecedented campaign leaked emails, spread propaganda and abused social media.

An organization called the Internet Research Agency allegedly spearheaded much of the work. A dozen Russian intelligence officials were recently indicted for hacking a U.S. entity.

In July, Microsoft uncovered evidence three candidates running in the 2018 midterms had been the target of the Strontium hackers. It was later confirmed that one of the individuals had been Senator Claire McCaskill, a Democrat from Missouri, whom Trump had criticized.

In the wake of the news, McCaskill branded Putin a "thug and a bully."

While attribution in cybersecurity remains difficult, the majority of evidence gathered by researchers suggests that close links exist between the Russian state and the hackers' work.

FireEye, one U.S.-based cybersecurity company, concluded in a report released last year that its operations were "consistent with government sponsorship and control." It said, "APT28 closely integrated its cyberattacks into broader propaganda efforts of benefit to a nation-state actor."

This article was updated to add comment from Kremlin spokesman Dmitry Peskov.