Microsoft says it has taken down six malicious websites targeting American politics that had been maintained by the same Russian military intelligence agency that hacked and leaked Hillary Clinton’s emails during the 2016 election.
In an announcement published at midnight Tuesday, Microsoft said it convinced a court last week to seize six domains created by the GRU, Russia's main foreign intelligence agency. Three of those sites mimicked the US Senate site, one a generic Microsoft site, and the other two were made to look like the sites of Washington think tanks, the Hudson Institute and the International Republican Institute.
The news comes on the heels of Microsoft's acknowledgments that it has interrupted previous attacks targeting the staffs of several congressional candidates. At least one US senator, Missouri Democrat Claire McCaskill, and two defeated House candidates in California, David Min and Hans Keirstead, have recently said they had been targeted.
It’s not uncommon for government-sponsored hackers to target lawmakers for the purposes of gathering intelligence. But the GRU is the only known government agency that not only regularly hacks politicians, but also sometimes strategically releases what it finds. Clinton has blamed her 2016 presidential loss in part on her hacked emails, which were leaked to WikiLeaks and regularly doled out to the public for weeks before the election. The GRU has also been accused of releasing emails from French President Emmanuel Macron’s campaign right before that country's presidential election in 2017.
Political campaigns are a particularly ripe target for foreign hackers seeking to influence US elections. While the country's elections systems are considered critical infrastructure, and therefore receive particular attention from the Department of Homeland Security, individual campaigns are largely left to their own devices.
Foreign intelligence agencies also regularly target think tanks, as part of broader attacks on US political systems. In 2016, the GRU hacked a think tank, the Bradley Foundation, and doctored an invoice to make it appear that Clinton had received illegal campaign donations. The International Republican Institute, which was among the six sites targeted, counts several sitting senators on its board.
“A .ru email with a suspicious email, we know to delete that immediately,” David Tell, head of public affairs at the Hudson Institute, told BuzzFeed News. “I got two of those myself last week.”
It’s unclear if the six GRU sites taken down by Microsoft were operational, or if they had successfully targeted any victims. The domains are believed to have been created recently.
Creating domain names to mimic political targets is a common GRU tactic. “Impersonating domains of their potential victims is pretty standard tradecraft” for its hackers, said Toni Gidwani, director of research operations at ThreatConnect, which tracks foreign government hacker activity.
“It’s something researchers are continuing to see now in 2018,” she said. “Even with all the attention to Russian attempts to interfere with the midterm elections, it’s still a valid attack pattern for threat actors.”
The takedown announced Tuesday is the latest move in what has become a regular pattern for Microsoft. According to the company, it marks the 12th time since 2016 in which it has identified a group of websites it believed to be created for GRU hacking, and convinced a court to give it ownership of the sites, allowing Microsoft to study the domains before taking them down. The company said it has shut down 84 fake websites this way.