At midnight on Tuesday, Microsoft published a blog post about its “new steps against broadening threats to democracy.”
The post explains that Microsoft detected and shut down some infrastructure allegedly put up by Russian government hackers—those known as Fancy Bear or APT28—to launch phishing attacks against some political nonprofits and think tanks. It’s not clear how, but the company was able to find six domains registered by Fancy Bear. Judging from their names (senate[.]group and office365-onedrive[.]com for example), it figured out that they were created with the goal of deceiving targets into believing these were legitimate Microsoft domains. This is part of a new and creative tactic Microsoft has been using against government hackers: taking down a hacker’s servers by repossessing them in court.
As the Trump administration continues to downplay or outright deny Russian hacking and disinformation campaigns aimed at interfering with the 2016 and the upcoming 2018 elections, companies have pitched themselves as potentially filling that void. The result is that companies get to publish grandiose company blogs where they take a stand about defending democracy, and in the same breath, promote their latest products.
From Microsoft’s blog post:
“In 1787, as the American constitutional convention reached its conclusion in Philadelphia, Benjamin Franklin was asked as he departed Independence Hall what type of government the delegates had created. He famously replied, ‘A republic, if you can keep it.’ We can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls untainted by foreign cyberattacks.”
The same blog post also announced “AccountGuard,” a free program that gives extra protection to candidates, campaigns, and related political institutions that use the company’s cloud suite Office 365.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Companies such as Google or Microsoft have cybersecurity teams that rival those of the US government (that’s how Google has known so much about Fancy Bear for such a long time). That’s why private companies can often see some hacking campaigns even before they start (in this case, Microsoft said there’s no evidence these domains had even been used yet.) The point is, the Microsofts, Symantecs, and CrowdStrikes of the world have taken it upon themselves to tell us when Russia is up to something, and have often done so in clearer terms than the Trump administration.
While more transparency is almost always better, it’s not clear if this specific activity discovered by Microsoft is really a threat to democracy, which is how it’s being seen by many political observers.
“‘Disrupting elections’ is not what we're seeing here specifically. Just spying,” Thomas Rid, a professor at Johns Hopkins University who’s writing a book about Russian influence campaigns, tweeted in response to the news. “What I'm seeing is ‘a broadening way’ in which companies may take advantage of a now common concern.”
Sean Sullivan, a researcher from Finnish antivirus security company F-Secure agrees. In a statement sent to reporters, Sullivan said that “there seems to be a rush to conclude that these six domains are part of an ‘attack’ on the elections. And that risks missing the complete threat model–and thus the complete countermeasures that should be taken.”
John Hultquist, a security researcher at FireEye who tracks Russian hackers echoed this sentiment tweeting: “These attempted intrusions do not necessarily presage active measures.”
“Long before it started dabbling in leaks and personas, APT28 was a run of the mill cyber espionage actor targeting things like parliaments and think tanks,” he added.
In other words, APT28 creating some phishing URLs to target people that have a role in the US political apparatus is nothing new. It’s worth reporting on, certainly, but it may not have the major significance that the media has given it. Government hackers have been using countless phishing URLs in their hacking campaigns to target political aides and members of think tanks for years. It’s good that Microsoft has stopped them from using these domains, but Fancy Bear hackers will keep using other URLs—it’s a cat and mouse game.
Of course, exposing government hacking has long been a chance for cybersecurity companies to pitch their new products and democracy-saving initiatives. Microsoft’s new announcement is no exception.
Google launched a similar product back in May with a website called “Protect Your Elections.” In July, CloudFlare launched a new initiative called Athenian Project. Behind that grandiose name there’s a free service to protect websites against Distributed Denial of Service (DDoS) attacks. (Very little of what Russian government hackers and trolls did in 2016 could’ve been prevented by anti-DDoS technology.)
Others have been even more brash with their announcements. Last week, antivirus company Cylance said it was giving away its product to anyone until November 9 in a press release titled “Cylance® Defends Democracy.” (Very little of what Russian government hackers and trolls did in 2016 could’ve been prevented by antivirus software.)
While some of these sales pitches may feel a little too lofty, in the absence of leadership from the president’s administration, it’s important that someone steps up to take these threats seriously.
Solve Motherboard’s weekly, internet-themed crossword puzzle: Solve the Internet.