Microsoft has once again turned to US courts to seize six internet domains it says the notorious Fancy Bear hackers had set up for spearphishing US politicians and think-tanks ahead of the midterm elections in November.
Along with the domain seizures, Microsoft has launched a new security service dubbed Microsoft AccountGuard, which will be available at no charge to all current US federal, state and local candidates, so long as they’re using Office 365.
The service includes threat detection and notifications for eligible Office 365, Outlook.com, and Hotmail accounts.
Microsoft will directly notify these organizations if it detects new threats targeting users’ corporate email addresses and personal accounts, while offering early access to security features usually reserved for large business and government customers.
The domains seized were designed to mimic websites of the International Republican Institute, whose board includes six Republican senators, conservative think-tank the Hudson Institute, the ADFS (Active Directory Federation Services) email service of the US Senate, and Microsoft’s Office 365 and OneDrive services.
Microsoft said the sites were created by Fancy Bear hackers, widely believe to be linked to the Russian military.
US intelligence accused Fancy Bear of hacking the Democratic National Committee’s computers in 2016 and leaking sensitive emails via WikiLeaks to sway the presidential election in favor of Donald Trump and harming his opponent, Hillary Clinton. That hack occurred after a spearphishing attack against officials from Clinton’s campaign team.
“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit. The sites involved in last week’s order fit this description,” said Microsoft president and chief legal officer Brad Smith.
He said Microsoft was concerned the attempts posed security threats to a broadening array of groups connected with both US political parties in the lead-up to the midterm elections.
However, he noted that Microsoft has no evidence the domains have been used in any successful attack and does not have evidence who the ultimate targets were.
“Despite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups, and think-tanks across the political spectrum in the United States,” he noted.
“Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”
The domain seizure was led by Microsoft’s Digital Crimes Unit, which has used similar court orders 12 times in two years to shut down 84 bogus websites linked to the Fancy Bear, which Microsoft calls Strontium, and is also known as APT28.
Microsoft’s action follows the indictment by the Justice Department in July of 12 officials from the GRU, Russia’s main intelligence directorate, over the DNC hack.