Russia-Backed Hackers Try to Harvest Office 365 CredentialsMicrosoft Offers More Details on Group's Efforts to Target US Election Campaigns
Microsoft is providing additional details about how a hacking group affiliated with Russian military intelligence is attempting to harvest Office 365 credentials associated with election campaigns in the U.S. and U.K.
Last week, Microsoft reported Russian, Chinese and Iranian hackers were targeting organizations and individuals associated with the Republican and Democratic U.S. presidential campaigns. The attacks against the parties, campaigns and consultants - the majority of which have been blocked - have been attributed by Microsoft's Threat Intelligence Center to Russia's Strontium hacking group; China's Zirconium APT group; and Iran's Phosporus APT group (see: US Election Hack Attacks Traced to Russia, China, Iran).
In a report providing more details, Microsoft says Strontium, also known as APT28 or Fancy Bear, has been attacking victims to obtain valid Office 365 credentials to enable future surveillance or intrusion operations.
Microsoft has been tracking this new activity since April, and it says this campaign remains active. From September 2019 and June, the group launched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations, researchers say.
The researchers claim that from Aug. 18 to Sept. 3, the Russian hackers targeted more than 6,900 accounts belonging to 28 organizations, but none of these accounts were successfully compromised.
Microsoft also notes that not all the targeted organizations were election-related, but it highlighted a potential emerging threat to the 2020 U.S. presidential election and future electoral contests in the U.K.
The Microsoft researchers note that Strontium relied heavily upon spear-phishing attacks in its credential harvesting efforts leading up to the 2016 U.S. presidential election.
During the most recent campaign, however, the Strontium hackers using different methods, such as brute-force attacks and password spraying. This shift in tactics, also made by several other nation-state actors, enables the hackers to execute large-scale credential harvesting operations in a more anonymized manner, according to the Microsoft researchers.
"The tooling Strontium is using routes its authentication attempts through a pool of approximately 1,100 IP [addresses], the majority associated with the Tor anonymizing service," the Microsoft researchers say. Some 20 IP addresses are added and removed from the tooling per day to help better disguise their activities.
From Aug. 19 to Sept. 3, Strontium's credential harvesting used a daily average of 1,294 IP addresses associated with 536 netblocks and 273 autonomous system numbers.
"Considering the breadth and speed of this technique, it seems likely that Strontium has adapted its tooling to use an anonymizer service to obfuscate its activity, evade tracking and avoid attribution," the Microsoft researchers note.
Microsoft observed that the Strontium tooling also operated in password-spray mode, in which the tooling attempts username/password combinations in a "low and slow" manner.
"Organizations targeted by the tooling running in this mode typically see approximately four authentication attempts per hour per targeted account over the course of several days or weeks, with nearly every attempt originating from a different IP address," the Microsoft researchers say.
Organizations targeted by Strontium tooling saw authentication attempts against an average of 20% of their total Office 365 accounts, Microsoft reports.
To mitigate the risk posted by the Russian hackers, Microsoft recommends using multifactor authentication, monitoring failed authentications and testing organization’s resilience.
Implementing MFA across business and personal email accounts successfully thwarts the majority of credential harvesting attacks, the researchers say.
"When we evaluate all the tokens issued with MFA claims, we see that less than 10% of users use MFA per month in our enterprise accounts (and that includes on-premises and third-party MFA)," according to Microsoft. "Until MFA is more broadly adopted, there is little reason for attackers to evolve."
Stronium is believed to be part of part of the military unit 26165 of the Russian General Staff Main Intelligence Directorate, or GRU. The group is known to work on election disruption in the U.S. elsewhere o further Russia's political goals (see: Dutch and British Governments Slam Russia for Cyberattacks).
This hacking group is also believed to have been involved in the theft of emails from the Democratic National Committee in 2016 (see: After Russia Hacks DNC: Surprising Candor).
Strontium is known to frequently switch tactics. For example, earlier this year, it used malware variant called Drovorub that's designed to target Linux systems, creating a backdoor into targeted networks to exfiltrate data (see: Alert: Russian Hackers Deploying Linux Malware).