Microsoft Seizes Hacker Domains Pointed Toward U.S. Senate

Microsoft said late Monday that its Digital Crimes Unit seized–with the approval of a special master appointed by a Federal court–six internet domains created by Strontium, a hacker organization associated with the Russian government.

Of the six domains seized, three appeared to be related to the U.S. Senate, one appeared to be linked to the Washington-based Hudson Institute think tank, and another appeared to be related to the International Republican Institute (IRI), another D.C.-based organization that says it works to strengthen democracies and combat threats to democratic processes including by “countering Kremlin disinformation in Europe.”

“We currently have no evidence these domains were used in any successful attack…Nor do we have evidence to indicate the identity of the ultimate targets of any planned attacks involving these domains,” Microsoft said.

Nonetheless, the company said the six domains it seized appear to fit the description of other seized sites associated with Strontium, in which “attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit.”  Microsoft said the domain seizures marked its twelfth effort over the past two years, resulting in the shutdown of 84 fake websites associated with Strontium.

More broadly, Microsoft said, “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” and in light of that announced the expansion of its existing Defending Democracy Program with a new initiative called Microsoft AccountGuard.  That program, the company said, will provide free “state of the art” cybersecurity protection to all local, state, and federal candidates and campaign offices “as well as think tanks and political organizations we now believe are under attack,” so long as they use the company’s Office 365 product line.

In offering free services to political campaigns and others, Microsoft joins a number of other firms offering similarly free services including Akamai, McAfee, Cylance, and Cloudflare.

As for the possible intended victims of the Strontium effort, Microsoft said it notified Hudson and IRI and that both organizations “responded quickly.”  The company said it will “continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems.”

“Cyber attacks have become one of the preferred tools of authoritarians around the world to harass and undermine independent organizations and democratic governments,” said Daniel Twining, IRI’s president, in a statement.  “This latest attempt is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights. It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime,” he said.

On the Senate side, Microsoft said “we’ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators.”  Sen. Claire McCaskill, D-Mo., said earlier this year that Russian hackers tried unsuccessfully to hack into her Senate office network.

Despite the latest domain seizures, Microsoft said it remains “concerned by the continued activity targeting these and other sites and directed toward election officials, politicians, political groups and think tanks across the political spectrum in the United States.  Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

Recent