The Russian military Intelligence hackers known as Fancy Bear or APT28 wreaked havoc in the 2016 elections and broke into Hillary Clinton’s Democratic Committee and campaign to publicly divulge their secrets. Since then, the cybersecurity community has been waiting for the day it would return to sow more chaos. That day has come just in time for the 2020 election. Fancy Bear increased its election-related attacks over the past year, according to Microsoft.
On Thursday, Microsoft published a blog post that revealed that Russia’s Fancy Bear hacker, which Microsoft calls Strontium, has attacked more than 200 organizations since September 201
“The activity we are announcing today makes it clear that foreign activity groups have stepped up their efforts in the 2020 election as expected,” said Microsoft’s blog post. “Microsoft has been monitoring these attacks and notifying target customers for several months, but has only recently reached a point in our investigation where we can most certainly attribute the activity to strontium.”
Reuters reported earlier today that SKDKnickerbocker, a campaign strategy and communications firm working with presidential candidate Joseph Biden and other prominent Democrats, had received a warning from Microsoft that Russian hackers had unsuccessfully attacked without naming Fancy Bear. WIRED reported in July that Fancy Bear was targeting US government agencies, educational institutions and the energy sector without any intention of influencing the 2020 elections.
Microsoft’s blog post also describes politically focused hacking campaigns by a Chinese group called Zirkonium or APT31 and an Iranian group called Phosphorus or APT35. The Chinese campaign attacks included 150 successful violations against organizations in the past six months, according to Microsoft researchers. They note that the hackers tried to target the Biden campaign – apparently unsuccessfully – as well as “a person who was previously linked to the Trump administration”. APT31 has also hit more espionage targets, including academics at 15 universities and the accounts of employees from 18 think tanks, including the Atlantic Council and the Stimson Center.
According to Microsoft, the Iranian campaign tried to gain access to multiple accounts belonging to people who were involved in the 2020 presidential election, as well as several members of Trump’s administrative and campaign staff in May and June of this year. These Trump-targeted interventions were unsuccessful, adds Microsoft.
However, according to FireEye, an intelligence company, Russia’s recent attacks are the most troubling. That’s because the Russian military intelligence agency GRU – and in particular the GRU team Fancy Bear, which is classified as GRU unit 26165 – unlike Iran or China, goes beyond traditional espionage to conduct political hack-and-action leaks Operations such as those carried out before the 2016 US presidential election and the 2017 French presidential election.
“We are still most concerned about Russian military intelligence, which we believe poses the greatest threat to the democratic process,” said a note that FireEye sent to its customers in front of the politically-minded hacking Campaigns warned and named the group APT28. “Orientation towards political organizations is a common feature of cyber espionage. Parties and campaigns are good sources of information for future politics, and it is likely that Iranian and Chinese actors targeted US campaigns to quietly gather information, but the unique story of APT28 increases the prospect of follow-up – via information operations or other devastating activity. “