Microsoft looks to expose espionage groups taking aim at NGOs, US politics

“I have no reason to believe that they’ll be quiet between now and Nov. 3,” Microsoft’s Tom Burt said of Fancy Bear.

Foreign espionage groups, including those bent on undermining the U.S. political process, have targeted non-government organizations and think tanks more than any other sector in a bid to gather intelligence, according to new data from Microsoft.

Of the thousands of notifications Microsoft made to customers about state-linked hacking activity from mid-2019 to mid-2020, NGOs accounted for 32% of those alerts, the company said in a report released Tuesday. And over 90% of those notifications have been outside of critical infrastructure sectors.

The focus on targets outside Washington suggests hacking groups could be in search of softer targets during an election season when Democratic and Republican campaigns have enlisted more people and technology to protect their networks. Those changes came after suspected Russian military hackers breached the Democratic National Committee in 2016 and leaked emails aimed at damaging Hillary Clinton’s campaign.

“At the national level and the leading campaigns, there’s a much higher degree of vigilance,” Microsoft’s Tom Burt told CyberScoop, comparing the state of security in 2016 to 2020. “That said, they are in a very challenging security environment because of the fact that they rely on…an ever-changing cast of volunteers and participants in the campaign.”


Burt, who is Microsoft’s corporate vice president for customer security and trust, said espionage groups had every incentive to breach accounts they know are in contact with campaigns.

“If you successfully infiltrate the account of a Harvard professor who you know is in contact with one of the campaigns, and then you send your phishing email from that account, saying, ‘Hey, look at this great study I just found,’” Burt said, “the odds that people in that campaign are going to click on that attachment…go way up.”

That’s why federal officials and tech firms, including Microsoft, have continued to offer security support to campaigns as Election Day approaches.

The new Microsoft report — a detailed review of criminal and government hackers’ tradecraft — also warns that state-sponsored attackers are using more reconnaissance techniques to gain access to targets in various sectors. Groups linked with Iran and Russia, for example, are “refining” their use of password-spraying to cast a large net of potential targets.

It’s the first time Microsoft has issued such a comprehensive annual report on digital threats, Burt said. With an eye on publishing similar intelligence, Burt is also planning to expand a small team at Microsoft that is focusing on discerning the motives of state-backed hackers. That’s partly because when an espionage group goes after a given industry, the results of the hack may be unexpected, and not surface for a while.


‘We are absolutely on alert’  

Microsoft made headlines this month when it announced that Fancy Bear, the Russian government-linked hacking group that intervened in the 2016 election, was again focused on American political targets.

The hackers had targeted 200 organizations, including Democratic and Republican consultants, with new techniques designed to evade defenses. The news was of little surprise to security analysts and election officials, but it was something executives at the technology giant say they felt the public needed to hear: Foreign intelligence agencies won’t stop trying to disrupt the U.S. political process any time soon.

“I have no reason to believe that they’ll be quiet between now and Nov. 3,” Burt said in an interview, referring to Fancy Bear, which his firm calls Strontium. “We are absolutely on alert now across the company…watching for anomalous behavior and for potential attacks” from a range of hacking groups.

With more than a billion devices running its software, Microsoft has perhaps more insight into malicious cyber activity than any other organization. And the tech company has gradually warmed to the role of canary in the security coal mine. After being relatively quiet in 2016, it is now playing a much more assertive public role in election security.


Microsoft is part of a cadre of tech providers, U.S. intelligence agencies and election officials that are in the final stretch of years of preparation for the 2020 election. They are flooding the airwaves with security assurances before the vote, and in the process competing with disinformation from both President Donald Trump and foreign hacking groups like Fancy Bear.

“On a daily basis, I get information to evaluate as to whether or not we’re going to notify that we’ve seen an attack or a compromise” in a given sector, Burt said.

The work won’t stop on Election Day

Since publishing the advisory on Fancy Bear earlier this month, Burt’s team has been scouring their data for any signs of a shift in tactics or techniques from the group. None has emerged, he said. But he isn’t taking anything for granted.

The evidence suggests that the Russians “will be continuing to not only use their own efforts to disrupt the election process or the campaigns, but also to feed information to others who will be using it for disinformation campaigns,” Burt said. That echoes a warning last week from Facebook, which said it was wary of eleventh-hour hack-and-leak operations.


Federal and state officials, and industry executives, will likely be working past Election Day to combat disinformation as mail-in ballots are counted.

“I think you should anticipate that [foreign groups’] disinformation efforts will extend post-Election Day,” Burt said. “While all the data suggests that the election will be highly trustworthy, the fact that that dialogue is continuing to be fueled within the U.S., you should fully anticipate that our adversaries will want to” exploit that.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts