Russian military spies who hacked and leaked Democratic emails to inject chaos into the 2016 presidential election are active again, targeting political parties, advocacy groups and consultants, Microsoft announced Thursday.
China and Iran are also attempting to penetrate the Microsoft email accounts of people affiliated with the political campaigns, though the efforts against the campaigns of President Donald Trump by Iran and the Democratic nominee Joe Biden by China were not successful, the firm said.
The Republican National Committee also was unsuccessfully targeted, said a person familiar with the matter, but it is unclear by which country.
The intrusion attempts reflect a stepped-up effort to infiltrate the U.S. political establishment, Microsoft said. "What we've seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those who they consult on key issues," Tom Burt, a Microsoft vice president, said in a blog post.
The news is consistent with recent statements by the Office of the Director of National Intelligence about the three countries being active in the lead-up to the 2020 election.
However, according to current and former intelligence officials and industry analysts, Russia is the adversary with the intent and capability to cause the most significant potential disruption to the election -- a possibility that Trump, whom Russia sought to help in 2016, has consistently downplayed.
"We think Russian military intelligence poses the greatest foreign threat to the elections," said John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye. "It's concerning to find them targeting organizations associated with campaigns again."
Tim Murtaugh, the Trump campaign's communications director, said: "President Trump will beat Joe Biden fair and square, and we don't need or want any foreign interference."
200 TARGETS
In its blog post, Microsoft says the Russian hackers, which it calls Strontium but are better known as Fancy Bear or APT28, have targeted more than 200 organizations, including political campaigns and consultants since September 2019.
The targets include advocacy organizations and think tanks such as the German Marshall Fund of the United States, and national and state party organizations, as well as British political parties. Fancy Bear is a group affiliated with Russian military intelligence, the GRU.
The Russian hackers tried to compromise the email accounts of the staff at the consulting firm SKDKnickerbocker, which works with Biden and other prominent Democrats, but were not successful, according to Reuters.
Campaigns, state and local election offices and parties are more aware of the threat and have boosted their defenses since 2016, officials said. Coordination with federal cybersecurity agencies has also increased.
None of the Microsoft-detected attempts involved voting or election systems, said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.
When it comes to such systems, "we're not seeing a lot of targeted activity that we can tie back to a state-based actor, or even criminal actors," Krebs said at the Billington cybersummit this week. Through intelligence channels, "we're not seeing any planning that they're targeting election infrastructure," he said. "It gives me a little bit of confidence."
What Microsoft could not divine is the respective goals of the Russians, Chinese and Iranians. It could be that they were doing what nation states such as Russia and China have traditionally done: hack for political espionage purposes.
The attempts Microsoft described in its announcement are akin to "thieves snooping around to see if the car doors are open," said another cyberthreat analyst, who was not authorized by his firm to speak on the record. Microsoft is unable to detect attempts on the personal email accounts of individuals using Gmail or other non-Microsoft services.
Thomas Rid, a Johns Hopkins geopolitics expert, said he was disappointed by Microsoft's refusal to differentiate threat level by state actor. "They're lumping in actors that operate in a very different fashion, probably to make this sound more bipartisan," he said. "I just don't understand why."
RUSSIAN CHARGED
Separately on Thursday, the Trump administration charged a Russian national in a plot to sow distrust in the American political process and imposed sanctions against a Russia-linked Ukrainian lawmaker accused of interfering in the U.S. presidential election.
In the case of the sanctions, officials denounced audio recordings that had been released by the Ukrainian parliamentarian and promoted by Trump on Twitter.
The criminal charges accuse Artem Mikhaylovich Lifshits of serving as a translation manager in a Russian effort that since at least 2014 has tried to disrupt the political system in the United States and other countries, and spread distrust about candidates. Members of the initiative, known as Project Lakhta, traveled to the United States to collect intelligence and operated bogus social media accounts that could pump out messaging to millions of Americans on divisive social issues.
The group operated through entities including the Internet Research Agency, the Russian troll farm charged by special counsel Robert Mueller with stirring up discord before the 2016 election, according to a criminal complaint charging Lifshits with using stolen identities to open fake accounts at banks and digital currency exchanges.
The goal of the department where Lifshits worked was to sow discord, incite civil unrest and polarize Americans with social media posts that touched on hot-button topics, including gun rights, immigration, the Confederate flag and race relations, prosecutors say.
"Project Lakhta members did not exclusively adopt one ideological viewpoint; rather, they wrote on topics from varied and sometimes opposing perspectives," a Secret Service agent wrote in an affidavit supporting the complaint. "Project Lakhta members also developed strategies and guidance to target audiences with conservative and liberal viewpoints, as well as particular social groups."
The Justice Department complaint does not accuse Lifshits or other Project Lakhta members of promoting a particular presidential candidate in the 2020 race.
Lifshits was one of four people cited Thursday by the Treasury Department, including Andrii Derkach, a Ukrainian lawmaker who was characterized by the U.S. government as "an active Russian agent" for over a decade. Officials say he has interfered in the 2020 election by releasing edited audio recordings designed to denigrate Biden.
The administration's move was especially notable because the statement announcing it said Derkach's recordings advance anti-Biden claims that rely on "false and unsubstantiated narratives." Trump has promoted those recordings by retweeting posts that include or reference them.
Information for this article was contributed by Ellen Nakashima, Josh Dawsey, Jay Greene, Matt Viser and Isaac Stanley-Becker of The Washington Post; and by Eric Tucker, Mary Clare Jalonick, Frank Bajak, Matt O'Brien, Jonathan Lemire and Lorne Cook of The Associated Press.