destina - Fotolia
As the 2020 presidential election draws closer, advanced persistent threat (APT) actors operating with tacit backing from the Russian government are ramping up cyber attacks on organisations in the US right on schedule, according to Microsoft’s Threat Intelligence Centre (MSTIC), which has recently published information on the activities of the Fancy Bear group – which it refers to as Strontium.
Four years ago, Fancy Bear, and its counterpart Cozy Bear, were linked to hacks of the Democratic National Committee (DNC) that turned out to be an influential factor in the loss of the 2016 presidential election, leading to global destabilisation and the erosion of the US’s international influence and reputation under President Trump.
Destabilising the US is considered in line with Russia’s strategic geopolitical goals, so it was always considered a virtual certainty that similar attacks would take place in 2020.
MSTIC’s new evidence links Fancy Bear to a newly uncovered series of credential harvesting attacks aimed at political organisations in both the US and the UK that has been ongoing since September 2019. Credential harvesting is a known tactic used by Fancy Bear to obtain access to the systems of its targets for future surveillance or intrusion operations.
MSTIC said it had seen attacks on tens of thousands of accounts at more than 200 organisations since last September, and almost 7,000 in the two-week period – 18 August to 3 September 2020 – following the formal nomination of Joe Biden as the Democrats’ candidate. MSTIC added that none of the accounts targeted were actually compromised this time around.
Writing in a disclosure blog post, Tom Burt, Microsoft corporate vice-president (CVP) of customer security and trust, said: “The majority of these attacks were detected and stopped by security tools built into our products. We have directly notified those who were targeted or compromised so they can take action to protect themselves. We are sharing more about the details of these attacks today, and where we’ve named impacted customers, we’re doing so with their support.
“What we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers, but also those they consult on key issues. These activities highlight the need for people and organisations involved in the political process to take advantage of free and low-cost security tools to protect themselves as we get closer to election day.”
MSTIC said that having relied heavily on spear-phishing techniques four years ago, Fancy Bear was now taking a different approach and using brute-force techniques or password-spray tooling. It explained this shift in tactics, which has been observed at other nation state-linked APT groups, enabled them to carry out large-scale credential harvesting operations in a more anonymised manner.
Fancy Bear’s tooling, for example, routes authentication attempts through a pool of about 1,100 IP addresses that are mostly associated with the Tor anonymising service. It adds and removes around 20 IP addresses to this pool daily, and alternates its authentication attempts against this pool about once a second. MSTIC judges this an indicator that Fancy Bear is trying to better obfuscate its activity, and avoid its attacks being tracked and attributed.
However, it did note that some of the blocks of IP addresses were more heavily used by the tooling, suggesting that the anonymisation service is overserving them, which gives defenders an opportunity to hunt for activity. More details of this, and guidance on effective defence, are available from Microsoft.
Burt said: “We believe it’s important the world knows about threats to democratic processes. It is critical that everyone involved in democratic processes around the world, both directly or indirectly, be aware of these threats and take steps to protect themselves in both their personal and professional capacities.
“We also believe more federal funding is needed in the US. so states can better protect their election infrastructure. While the political organisations targeted in attacks from these actors are not those that maintain or operate voting systems, this increased activity related to the US electoral process is concerning for the whole ecosystem.”
Burt said Microsoft would continue to encourage state and local election bodies to harden their operations, but said additional funding for this was badly needed, particularly as resources are stretched to accommodate the anticipated increase in postal voting, thanks to the Covid-19 pandemic.
“We encourage Congress to move forward with additional funding to the states and provide them with what they need to protect the vote,” he said.
MobileIron’s UK and Ireland director, David Critchley, said: “The announcement of more state-sponsored cyber security attacks geared towards the US election is another stark reminder of the need for public figures to properly defend themselves against cyber threats. With hackers reportedly attacking both sides of the election, the threat transcends party political lines and should be addressed accordingly.
“Microsoft has highlighted how attack campaigns have sought to harvest people’s log-in credentials. Public bodies can take two simple steps to improve their defences to such attacks. First, eliminating passwords and replacing them with a more thorough means of authentication, such as biometrics, provides organisations’ critical data with a much better level of protection upon access. Second, by deploying a managed threat detection system with advanced phishing capabilities, threats can be effectively mitigated as they arise.”
Roger Grimes, data-driven defence evangelist at KnowBe4, said the fact that suppliers such as Microsoft were now better able to attribute such attacks was a positive development.
“A decade ago, this would have been something solely in the realm of a three-letter agency that noticed, likely accidentally while investigating some other victim, and got involved in. Today, it’s independent vendors who have the tools and telemetry to proactively warn their customers, big and small,” he said.
“It’s really great and one of the few computer security success examples we should be celebrating. It’s one for the good guys.”
Read more about IT security at the US elections
- While there have been no major cyber attacks this election season, threat actors are waging disinformation campaigns around hot-button issues like mail-in ballots.
- During a Black Hat USA 2020 session, CISA Chief Christopher Krebs said ransomware attacks on city, state and local governments are a major concern for election security.
- Election Systems & Software, the biggest vendor of US voting equipment, will allow the security researcher community to test its elections equipment for vulnerabilities.