Microsoft ties fake websites to Russian hackers ahead of midterm election

A group affiliated with the Russian government created phony versions of five websites — including some related to public policy and to the U.S. Senate — with the apparent goal of hacking into the computers of people who were tricked into visiting, according to Microsoft, which said Monday night that it discovered and disabled the fake sites.

The effort by the notorious APT28 hacking group, which has been publicly linked to a Russian intelligence agency and actively interfered in the 2016 presidential election, underscores the aggressive role Russian operatives are playing ahead of the midterm congressional elections in the United States.

U.S. officials have repeatedly warned that the November vote is a major focus for interference efforts. Microsoft said the sites were created over the past several months but did not go into more specifics.

Microsoft’s Digital Crimes Unit took the lead role in finding and disabling the sites, and the company is launching an effort to provide expanded cybersecurity protection for campaigns and election agencies that use Microsoft products.

Among those targeted were the Hudson Institute, a conservative Washington think tank active in investigations of corruption in Russia, and the International Republican Institute, or IRI, a nonprofit group that promotes democracy worldwide. Three other fake sites were crafted to appear as though they were affiliated with the Senate, and one nonpolitical site spoofed Microsoft’s own online products.

The Senate did not immediately respond to requests for comment late Monday.

Microsoft said Monday that it had found no evidence that the fake sites it recently discovered were used in attacks, but fake sites can carry malware that automatically loads onto the computers of unsuspecting visitors. Hackers often send out deceptive “spear-phishing” emails to trick people into visiting sites that appear to be authentic but in fact allow the attackers to penetrate and gain control of computers that log on, allowing the theft of emails, documents, contact lists and other information.

“This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights,” said Daniel Twining, IRI’s president, who put blame on Russian President Vladimir Putin. “It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime.”

The move by Microsoft is the latest effort by Silicon Valley to address Russian threats to the coming election more aggressively than the technology industry did in 2016, when many woke up to the seriousness and sophistication of disinformation efforts only after Americans had voted. Companies and U.S. officials have vowed to work together more closely this year. Facebook recently disclosed that the company had taken down 32 fake accounts and pages that were tied to the Internet Research Agency, a Russian disinformation operation active before and after the 2016 election.

After discovering the sites recently, Microsoft said, it sought to obtain a court order to transfer the domain names to its own servers, a legal tactic that the company’s security division has used a dozen times since 2016 to disable 84 websites created by APT28, which also is sometimes called Strontium or Fancy Bear. APT28, a unit under the Russian military intelligence agency GRU, specializes in information warfare or hacking and disinformation operations. “APT” refers to “advanced persistent threat” in cybersecurity circles.

The court order, executed last week, effectively allowed Microsoft to shut down the sites and to research them more fully. Microsoft has used the legal tactic to go after botnets, or malicious networks of automated accounts, since at least 2010.

Microsoft President Brad Smith said in an interview that the company had been tracking the Russian-government-backed group for two years but had decided to speak publicly about the company’s efforts for the first time because of a growing sense of urgency and an uptick in Russian activity ahead of the midterms.

“You can’t really bring people together in a democratic society unless we share information about what’s going on,” Smith told the Washington Post. “When there are facts that are clear as day, for those of us who operate inside companies, increasingly we feel it’s an imperative for us to share this more broadly with the public.”