The Russian military intelligence unit that sought to influence the 2016 election appears to have a new target: conservative American think tanks that have broken with President Trump and are seeking continued sanctions against Moscow, exposing oligarchs, or pressing for human rights.
In a report scheduled for release on Tuesday, Microsoft Corp. said that it detected and seized websites that were created in recent weeks by hackers linked to the Russian unit formerly known as the GRU. The sites appeared meant to trick people into thinking they were clicking through links managed by the Hudson Institute and the International Republican Institute. The people were secretly redirected to Web pages created by the hackers to steal passwords and other credentials.
Microsoft also found websites imitating the US Senate, but not specific Senate offices or political campaigns.
The shift to attacking conservative think tanks underscores the Russian intelligence agency’s goals: to disrupt any institutions challenging Moscow and Russia’s president, Vladimir Putin.
The Hudson Institute has promoted programs examining the rise of kleptocracy in governments around the world, with Russia as a prime target. The International Republican Institute, which receives some funding from the State Department and the US Agency for International Development, has worked for decades in promoting democracy around the world.
“We are now seeing another uptick in attacks. What is particular in this instance is the broadening of the type of websites they are going after,” Microsoft’s president, Brad Smith, said Monday in an interview.
“These are organizations that are informally tied to Republicans, so we see them broadening beyond the sites they have targeted in the past,” he said.
The International Republican Institute’s board of directors includes several Republican leaders who have been highly critical of Trump’s interactions with Putin, including a summit meeting last month between the two leaders in Helsinki.
Among them are Senator John McCain of Arizona; Mitt Romney, a former presidential candidate; and — though he was silent on Trump’s appearance in Helsinki — Lieutenant General H.R. McMaster, who was replaced in the spring as the White House national security adviser. McMaster, who is now retired, had been the author of the national security strategy that called for treating Russia as a “revisionist power” and confronting it around the world.
“This is another demonstration of the fact that the Russians aren’t really pursuing partisan attacks, they are pursuing attacks that they perceive in their own national self-interest,” Eric Rosenbach, the director of the Defending Digital Democracy project at Harvard University, said Monday. “It’s about disrupting and diminishing any group that challenges how Putin’s Russia is operating at home and around the world.”
The State Department has traditionally helped fund both Republican and Democratic groups that engage in promoting democracy.
Daniel Twining, president of the International Republican Institute, called the apparent spear-phishing attempt “consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights.”
“It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin’s authoritarian regime,” Twining said in a statement.
The goal of the Russian hacking attempt was unclear, and Microsoft was able to catch the spoofed websites as they were set up.
But Smith said that “these attempts are the newest security threats to groups connected with both American political parties” ahead of the 2018 midterm elections.
“The Russians are seeking to disrupt and divide,” he said. “There is an asymmetric risk here for democratic societies. The kind of attacks we see from authoritarian regimes like Russia are seeking to fracture and splinter groups in our society.” On Sunday, the national security adviser, John R. Bolton, suggested that Russia was not the only threat in the fall elections. He also named China, Iran and North Korea — the other most active cyberoperators among state adversaries — as threats.
But so far Microsoft and other firms have not found extensive election-related action by those nations.
Senior US intelligence officials have also warned that the midterm elections will be targeted by foreign governments looking to influence American voters.
Speaking last month at the Aspen Security Forum, FBI Director Christopher A. Wray said that his agency was seeing information operations “aimed at sewing discord and divisiveness in the country.”
Only days later, in a report first released to members of Congress, Facebook revealed that it had discovered and eliminated an influence operation aimed at fueling divisions among Americans by targeting progressive groups. Facebook stopped short of naming Russia as the culprit of that campaign, although the social media company pointed to similarities between the influence operation and previous work by the Russian state-linked Internet Research Agency.
The attempt revealed by Microsoft mirrored efforts by Russian state-backed hackers before the 2016 presidential election.
After the election, a number of cybersecurity companies discovered websites that had been created by Russian hackers to spoof, or mimic, those of well-known institutions. Among the think tanks targeted were the Council on Foreign Relations and the Eurasia Group, both based in New York; the Center for a New American Security in Washington; Transparency International in Berlin; and the London-based International Institute for Strategic Studies.
A single letter, or even a punctuation mark, was often the only difference between the real and fake websites.
The fake websites were used as the conduit for a number of attacks, including persuading victims to download harmful malware or to reveal passwords and other personal information. But for the past year Microsoft has grown increasingly aggressive in countering them.
In 2016, a federal judge in Virginia agreed that the group Microsoft calls “Strontium” and others call “APT 28,” for “advanced persistent threat,” would continue its attacks. The judge appointed a “special master” with the power to authorize Microsoft to seize fake websites as soon as they are registered. As a result, the hackers have lost control of many of the sites only days after creating them.
But it is a constant cat-and-mouse game, as the Russian hackers seek new vectors of attack while Microsoft and others seek to cut them off.
“These attacks keep happening because they work. They are successful again and again,” said Thomas Rid, a professor of strategic studies at Johns Hopkins University, who doubts whether anyone can stay ahead of the hackers.
“Microsoft is playing whack-a-mole here,” Rid said. “These sites are easy to register and bring back up, and so they will keep doing so.”
Last month, Microsoft announced that it had detected and helped block similar attacks against two senators who are up for reelection. Senator Claire McCaskill, Democrat of Missouri, who faces one of the toughest political challenges this year, acknowledged that her campaign was among them after months of keeping the news quiet — apparently to avoid alienating voters who doubt the Russian role in election interference.
Microsoft says it is now expanding its effort to help political candidates counter foreign influence. It is starting an initiative it calls AccountGuard to bolster protections to candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations.
With the midterms less than three months away, Microsoft said greater cooperation was needed between tech companies and the federal government over efforts to interfere in US elections.
“Over the last year the larger tech companies, in particular, have put into place stronger information sharing practices where we have seen these threats emerge,” Smith said. “Those agreements, however, are informal.”