Employees at Microsoft’s cybercrimes unit in Redmond, Wash, Nov. 2, 2018. The Russian military intelligence unit that attacked the Democratic National Committee four years ago is back with a series of new, more stealthy hacks aimed at both Democratic and Republican campaigns, Microsoft warned in September 2020. (Kyle Johnson/The New York Times)
The Russian military intelligence unit that attacked the Democratic National Committee four years ago is back with a series of new, more stealthy hacks aimed at campaign staff, consultants and think tanks associated with both Democrats and Republicans.
That warning was issued Thursday by Microsoft, in an assessment that is far more detailed than any yet made public by U.S. intelligence agencies.
The findings come one day after a government whistleblower claimed that officials at the White House and the Department of Homeland Security suppressed intelligence concerning Russia’s continuing interference because it “made the president look bad” and instructed government analysts to instead focus on interference by China and Iran.
Microsoft did find that Chinese and Iranian hackers have been active — but often not in the way that President Donald Trump and his aides have suggested.
Contrary to an assessment by the director of national intelligence last month that said China preferred former Vice President Joe Biden win the election, Microsoft found that Chinese hackers have been attacking the private email accounts of Biden’s campaign staff, along with a range of other prominent individuals in academia and the national security establishment, including groups like the Atlantic Council and the Stimson Center.
Notably, only one of the Chinese targets detected by Microsoft was affiliated with Trump, a former administration official whom Microsoft declined to name.
The Biden campaign said it was “aware of reports from Microsoft that a foreign actor has made unsuccessful attempts to access the noncampaign email accounts of individuals affiliated with the campaign” and was preparing for the inevitable onslaught of attacks in the coming weeks. While it did not confirm the company’s reporting, it has taken issue with the director of national intelligence’s assessment, issued several weeks ago, that Chinese leaders prefer Biden over Trump. The Trump campaign did not immediately respond to requests for comment.
The Microsoft investigation also concluded that hackers related to Russia’s GRU, the military intelligence unit that oversaw the “hack and leak” campaigns in 2016 that made emails from Hillary Clinton’s campaign public, is going to new lengths to hide its tracks. It is routing some of its attacks through Tor, a service that conceals the attackers’ whereabouts and identity, which slowed the effort to identify the hackers.
So far, Microsoft officials said they found no evidence that hacking efforts this year were successful, but corporate officials noted that they have limited vision into Russia’s overall operations. They cannot say definitively that no materials were stolen or what Russia’s motivations may be. That, they said, was the role of U.S. intelligence officials.
Microsoft’s findings come just two weeks after the director of national intelligence, John Ratcliffe, declared that he would no longer let intelligence agencies give detailed, in-person briefings about election interference to Congress. He said the restrictions were because of leaks.
The company’s decision to publish its findings as the presidential campaign enters its final eight weeks underscored the futility of Ratcliffe’s effort: Firms like Microsoft and Google, because they sit atop global networks, have a front-seat view of suspicious activity and increasing motivation to make it public to warn their customers. The result, inevitably, is a tumble of reports from the private sector, which intelligence officials will be forced, one way or another, to assess along with their own findings.
In a statement, Christopher Krebs, who directs the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security, said, “We are aware that Microsoft detected attempts to compromise email accounts of people and organizations associated with the upcoming election.”
Krebs noted that “none are involved in maintaining or operating voting infrastructure, and there was no identified impact on election systems.” He also said that the company’s “announcement is consistent with earlier statements by the intelligence community on a range of malicious cyberactivities targeting the 2020 campaign and reinforces that this is an all-of-nation effort to defend democracy.”
Krebs, who was a Microsoft executive before joining the Trump administration, said his agency was releasing Thursday “guidance for improving cyberdefenses against account compromise attacks.”
There is no question that Microsoft’s assessment complicates the administration’s narrative that China poses a graver threat to U.S. elections than Russia, as both the national security adviser, Robert C. O’Brien, and Attorney General William Barr said in interviews last week.
In fact, the report concludes that the Russian military intelligence unit has only accelerated its attacks, even after a series of financial sanctions, indictments of Russian intelligence officers and retaliatory cyberstrikes by U.S. Cyber Command ahead of the 2018 midterm elections.
Microsoft’s researchers concluded that the GRU hacking unit — alternatively known as Fancy Bear, APT 28 or Strontium to different industry researchers — has been aggressively hacking the personal email accounts of American politicians, campaign staff members and consultants on both sides of the aisle.
In just the two weeks between Aug. 18 and Sept. 3, the group targeted 6,912 email accounts at 28 organizations, obfuscating its attacks through Tor.
Microsoft’s finding that it is Biden — not Trump — whom Chinese hackers are targeting also complicates a narrative pushed by the White House that China is interfering in the 2020 election to help the former vice president’s campaign.
While the Biden campaign said it would not comment on the specifics of the Microsoft findings, it disputed the U.S. intelligence assessment, arguing that China’s preference in the election was clear: the reelection of Trump.
“There are very obvious reasons China’s leadership would prefer four more years of President Trump,” said Antony J. Blinken, Biden’s longtime foreign policy adviser and a former deputy secretary of state. “He’s helped China advance its most important strategic goals: weakening American alliances; leaving a vacuum in the world for China to fill; giving Beijing a green light to trample human rights in Xinjiang and democracy in Hong Kong; and debasing our own democracy and so reducing its appeal.
“He also publicly echoed their propaganda downplaying COVID-19 while privately admitting how dangerous it was,” he said. “All of this benefits China at the expense of our nation.”
Currently, there are sharp and telling differences between the Russians and the Chinese.
China’s hacking of Biden’s campaign appears to be an attempt at standard espionage, similar to its 2008 hacking of presidential candidates John McCain and Barack Obama, when Chinese spies hacked internal position papers and emails of top campaign advisers for both candidates. Microsoft’s findings echo those of Google researchers in May, who determined that the same Chinese group was targeting Biden’s campaign.
Microsoft also said Thursday that Iran’s hackers have continued to target Trump’s campaign, as the company first warned in October, albeit with limited success. Microsoft has managed to take control of 155 of the web domains that Iran is using for its attacks.
But Iran has remained persistent. Between May and June, according to Microsoft investigators, Iran’s hackers went into overdrive trying to break into the personal email accounts of Trump administration officials and campaign officials, apparently without success.
In terms of sophistication, security researchers overwhelmingly say it is Russia’s GRU hackers that pose the gravest threat.
“Multiple cyberespionage actors are targeting organizations associated with the upcoming election, but we remain most concerned about Russian military intelligence, who we believe poses the greatest threat to the U.S. democratic process,” said John Hultquist, director of intelligence analysis at FireEye, which has worked with members of both political parties. “The GRU routinely violates international norms and has not been dissuaded by indictments and other attempts to halt their malicious activity.”
Just before Microsoft’s announcement Thursday, the Treasury Department announced new sanctions on three Russians and a member of Ukraine’s parliament — who was described as a Russian agent — for their efforts to influence the upcoming election.
“Russia has used a wide range of influence methods and actors to target our electoral process, including targeting U.S. presidential candidates,” the department said in a statement.
But the whistleblower complaint made public Wednesday, with its allegation that federal intelligence analysts were told to edit out references to Russian interference, has put the integrity of the government’s own assessments in doubt. The complaint says that in May, O’Brien instructed Chad Wolf, the acting secretary of Homeland Security, to stop providing intelligence assessments on the threat of Russian interference and report instead on China and Iran.
Intelligence officials warned the White House and lawmakers in February that Russia was actively working to reelect Trump and divide Democrats by supporting Sen. Bernie Sanders of Vermont. The Trump administration has contended that it has been tough on Russia, despite Trump’s refusal to criticize President Vladimir Putin.
But for two years now, Trump has been unwilling to lead meetings on election security related to Russia. In April, 2019 The New York Times reported that Kirstjen Nielsen, then the Homeland Security secretary, was instructed not to hold meetings in Trump’s presence describing the concerns about renewed Russian interference. Nielsen was soon forced to resign.
But in recent weeks Democrats have accused the administration of creating a false equivalency between the threat of interference between all three nation states. But even former Trump officials have recently weighed in. One former White House official said that by censoring or downplaying U.S. intelligence on Russian interference, Wolf had become “complicit” in Russia’s operations.
©2019 New York Times News Service