Microsoft says it has observed a group widely associated with the Russian government launching numerous cyberattacks on democratic institutions in Europe between September and December 2018.
Targeting 104 accounts belonging to organization employees located in Belgium, France, Germany, Poland, Romania, and Serbia, the attacks were carried out by the Russia-linked cyber-espionage group APT28, also known as Pawn Storm, Sednit, Fancy Bear, and Strontium.
The hacking group, believed to be sponsored by Russia’s GRU intelligence agency, is associated with multiple high-profile attacks, including the DNC hack before the US 2016 elections and the targeting of Ukraine and NATO countries.
In February last year, German news agency DPA revealed that the group had infiltrated Germany’s foreign and interior ministries’ online networks.
The recent APT28 assaults were aimed at think tanks and non-profit organizations that are often in contact with government officials while working on topics related to democracy, electoral integrity, and public policy, Microsoft says.
Some of the intended victims include employees of the German Council on Foreign Relations, The Aspen Institutes in Europe and The German Marshall Fund.
“MSTIC [Microsoft’s Threat Intelligence Center] continues to investigate the sources of these attacks, but we are confident that many of them originated from a group we call Strontium,” Tom Burt, Corporate Vice President, Customer Security & Trust, Microsoft, reveals.
“These attacks came as no surprise – everything we do as an organization, from our policy research to our work strengthening civil society, is dedicated to advancing and protecting democratic values. The announcement serves as a reminder that the assault on these values is real and relentless,” Karen Donfried, president of The German Marshall Fund, said in a statement.
In August last year, Microsoft disrupted an APT28 campaign that was targeted at the midterm elections in the United States. At the time, the company seized multiple malicious domains, including some impersonating the websites of the International Republican Institute, the Hudson Institute, the U.S. Senate, and Microsoft’s Office 365 service.
The same as last year, the new attacks relied on malicious URLs and spoofed email addresses that look legitimate, Microsoft says. The spear-phishing campaigns were attempting to gain access to employee credentials and deliver malware on target networks.
Couple with the campaign disrupted last year, the new attacks “suggest an ongoing effort to target democratic organizations,” Burt notes.
“We quickly notified each of these organizations when we discovered they were targeted so they could take steps to secure their systems, and we took a variety of technical measures to protect customers from these attacks,” Burt says.
In an effort to prevent similar attacks in the future, Microsoft expanded the availability of its Microsoft AccountGuard, which is part of its Defending Democracy Program, to twelve new European markets, namely France, Germany, Sweden, Denmark, Netherlands, Finland, Estonia, Latvia, Lithuania, Portugal, Slovakia, and Spain.