With the U.S. presidential election quickly approaching, many people are on the edge of their seat, waiting to see who will lead the country for the next four years.
One thing that almost everyone can agree on is that it would be beneficial to avoid outside interference, like we saw in 2016 with Russia.
Unfortunately, Microsoft has uncovered new nation-state cyberattacks targeting individuals and organizations involved in the upcoming presidential election. These attacks are going after people associated with both the Trump campaign and the Biden campaign.
Microsoft researchers say they are tracking three separate groups of attackers: from Russia, China, and Iran.
Russian cyberattacks target Trump and Biden in the 2020 election
"Strontium" is a Russia-based activity group that has been monitored very closely since they were identified in the Mueller report as the organization primary responsible for the attacks on the Democratic presidential campaign in 2016.
Now, Microsoft says from September 2019 through August 2020 Strontium repeatedly launched attacks to gather political operative login information to try to compromise accounts for the purpose of collecting intelligence.
The Microsoft Threat Intelligence Center (MSTIC) reveals some crucial details:
"Many of Strontium's targets in this campaign, which has affected more than 200 organizations in total, are directly or indirectly affiliated with the upcoming U.S. election as well as political and policy-related organizations in Europe."
These targets include:
- U.S.-based consultants serving Republicans and Democrats;
- Think tanks such as The German Marshall Fund of the United States and advocacy organizations;
- National and state party organizations in the U.S.; and
- The European People's Party and political parties in the U.K.
One challenging aspect of these attacks is that Strontium has changed its attack strategy since the 2016 election. In the previous election, they mainly used an email spear-phishing strategy to capture individuals' credentials.
Now for the 2020 election, they are using two different attack strategies, including brute force attacks and password sprays.
The MSTIC technical bulletin on the attack explains what researchers are documenting:
"In password-spray mode, the tooling attempts username: password combinations in a 'low-'n-slow' manner. Organizations targeted by the tooling running in this mode typically see approximately four authentication attempts per hour per targeted account over the course of several days or weeks, with nearly every attempt originating from a different IP address.
In brute-force mode, the tooling attempts many username: password attempts very rapidly for a much shorter time period. Organizations targeted by the tooling running in this mode typically see over 300 authentication attempts per hour per targeted account over the course of several hours or days."
One significant detection problem with these attacks is that most attempts come from different IP addresses.
Chinese cyberattacks target Biden in the 2020 election
Zirconium is an APT organization based in China. Its cyberattacks are attempting to gather intelligence on organizations associated with the upcoming U.S. election.
Between March and September of this year, Zirconium attempted thousands of attacks which resulted in almost 150 system compromises.
According to Microsoft, the organization has two primary targets:
"First, the group is targeting people closely associated with U.S. presidential campaigns and candidates. For example, it appears to have indirectly and unsuccessfully targeted the Joe Biden for President campaign through non-campaign email accounts belonging to people affiliated with the campaign.
The group has also targeted at least one prominent individual formerly associated with the Trump Administration.
Second, the group is targeting prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations including the Atlantic Council and the Stimson Center."
Zirconium uses what is often referred to as web bugs, or web beacons, that are tied to a domain they purchase and then populated with content. The group then sends the domain URL as an email or attachment to the targeted account.
Even if the domain itself causes no harm, the bug will be able to see if the target tried to access the website. This is a simple way to see if the targeted account is valid and if the user is active.
Iran cyberattacks target Trump in the 2020 election
Phosphorus is an APT group based in Iran. Microsoft has tracked this group for years. Most recently, however, it's been caught going after President Trump's re-election team and his presidential staff:
"Phosphorus has attempted to access the personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election.
Between May and June 2020, Phosphorus unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff."
Why should the world learn about 2020 election hacking attempts?
Why is Microsoft releasing this information the same week that some Americans are beginning to cast their mail-in absentee ballots?
Tom Burt, the company's Vice President for Customer Support and Trust, says it has to do with knowledge—knowledge becoming power.
"We disclose attacks like these because we believe it's important the world knows about threats to democratic processes. It is critical that everyone involved in democratic processes around the world, both directly or indirectly, be aware of these threats and take steps to protect themselves in both their personal and professional capacities."
SecureWorld believes in talking about nation-state cyber threats, too.
Nation-state cyber threats to the U.S. and the world
Who are the "big four" nation-station cyber actors?
For more on what the nation-state cyber threat landscape looks like, listen to our podcast episode featuring CNN military analyst and SecureWorld keynote presenter Col. (Ret.) Cedric Leighton.
[RELATED: Top 10 Most Powerful Countries in Cyberspace]
