The Russian military intelligence hackers known as Fancy Bear or APT28 wreaked havoc on the 2016 election.Ever since, the cybersecurity community has been waiting for the day they would return to sow more chaos. Just in time for the 2020 election, that day has come. According to Microsoft, Fancy Bear has been ramping up its election-targeted attacks for the past full year.
Microsoft published a blog post revealing that it has seen Russiaâs Fancy Bear hackers, which Microsoft calls Strontium, targeting more than 200 organizations since September 2019. The targets include many election-adjacent organizations, according to researchers at Microsoftâs Threat Intelligence Center.
âThe activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated,â Microsoftâs blog post reads. âMicrosoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence.â
Microsoftâs blog post also details politically focused hacking campaigns by a Chinese group known as Zirconium or APT31, as well as an Iranian group known as Phosphorous or APT35. The Chinese campaignâs attacks have included 150 successful breaches of organizations in the last six months,
The Iranian campaign, according to Microsoft, has attempted to gain access to multiple accounts of people involved in the 2020 presidential election, as well as multiple members of Trumpâs administration and campaign staff in May and June of this year. Those Trump-targeted intrusions were unsuccessful, Microsoft adds.
But itâs Russiaâs latest attacks that are the most troubling, according to threat intelligence firm FireEye. Thatâs because, unlike Iran or China, the Russian military intelligence agency known as the GRUâand specifically the GRU team known as Fancy Bear, believed to be GRU Unit 26165âhas a history of going beyond traditional spying to carry out political hack-and-leak operations
The new round of Fancy Bear hacking also shows that the group has evolved since 2016. While itâs still working to steal victimsâ account credentials, it has moved on from the email-based spear-phishing attacks linking to fake login pages of the kind that tricked the earlier elections
Those two tactics âhave likely allowed them to automate aspects of their operations,â which would let them scale up their targeting. Microsoft also notes that the hackers have evolved their attempts to avoid detection, rotating through more than a thousand IP addresses in their hacking spree, using the anonymity software Tor, and constantly jettisoning IP addresses and adding new ones.
But while the latest Microsoft findings name Russian, Chinese, and Iranian hackers in equal measure, FireEye director of intelligence warns that Americans shouldnât fall into the trap of thinking those three potential wild cards carry equal risk for American democracy. âAPT28 is the threat that really matters here,â Hultquist says. âThey have the history, the motivation, and the means to actually interfere.â
