On September 10th, Microsoft disclosed that it had detected attempts by Russian, Chinese, and Iranian cyber actors to attack to target both Republican and Democrat election campaigns.
The Russian attacker Strontium (AKA Fancy Bear, APT 28; affiliated with the GRU military intelligence service), who was associated with a successful breach of the Democrat campaign in 2016, have reportedly targeted more than 200 organizations. Microsoft says the efforts have included attempting to harvest log-in credentials and compromise accounts. While continuing to use spear-phishing, Strontium has increased brute force attacks and password spray. Efforts appear to be made to disguise the credential harvesting attacks by running through more than 1,000 constantly rotating IP addresses, many associated with Tor. Russian actors have targeted candidates, campaign staffers, and outside consultants down to the state and local election level.
Microsoft cited the Chinese effort as belonging to threat actor Zirconium (APT 31), and have targeted the personal email accounts of people affiliated with the Biden campaign as well as at least one prominent individual formerly associated with the Trump administration. Additional efforts were directed against prominent persons in the international affairs community, academic institutions, and policy organizations. APT 31 was also reported by Google to be targeting campaigns since June.
The Iranian threat was identified as Phosphorous (APT 35, Charming Kitten) and had targeted White House officials and Republican campaign staff over several months. Phosphorous had been noted in October of 2019 targeting 2020 election campaigns, and has also targeted Iranian defectors, politicians and policy makers with influence on Iranian sanctions, and several infrastructure sectors including energy.
This reiterates and highlights the multi-axis cyber threat to the 2020 elections. Activity is likely to intensify as the election draws closer, and depending on the results; may persist after. Regardless of the outcome, sewing discord and undermining US institutions remains a goal of all the threat actors listed above, who all have the demonstrated capability and intent to make cause substantial damage.
As their efforts continue to expand beyond the candidates organizations, critical infrastructure could be targeted, including electric companies. With society already under strain from COVID, economic setbacks, weather impacts, and protests; the impact of any successful attack is likely to be magnified significantly.
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DOE Complex
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Other (inc. local/state commissions)
- Trade Organizations
- Watch Floor