SAN FRANCISCO — For the second time in six months, Microsoft has identified a Russian government-affiliated operation targeting prominent think tanks that have been critical of Russia, the company said in a blog post Tuesday evening.
The “spear-phishing” attacks — in which hackers send out phony emails intended to trick people into visiting websites that look authentic but in fact enable them to infiltrate their victims’ corporate computer systems — were tied to the APT28 hacking group, a unit of Russian military intelligence that interfered in the 2016 U.S. election. The group targeted more than 100 European employees of the German Marshall Fund, the Aspen Institute Germany, and the German Council on Foreign Relations, influential groups that focus on transatlantic policy issues.
The attacks, which took place during the last three months of 2018, come ahead of European parliamentary elections in May. They highlight a continuously aggressive campaign by Russian operatives to undermine democratic institutions in countries they see as adversaries.
The announcement is also the second time in the past six months that Microsoft has gone public with its efforts to thwart APT28, which is sometimes called Strontium or Fancy Bear. (Microsoft exclusively uses the term Strontium.)
Shortly before the U.S. midterm elections, Microsoft disabled spear-phishing efforts aimed at prominent conservative organizations and the U.S. Senate. APT28 created phony websites impersonating the groups, as well as people’s colleagues and Microsoft’s own properties.
“The attacks we’ve seen recently, coupled with others we discussed last year, suggest an ongoing effort to target democratic organizations,” the company said in its blog post. “They validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”
In its earlier takedown, Microsoft said it had been able to use a novel legal strategy to disable the phony domains. The company obtained a court order to transfer the domain names to its own servers by arguing that spoofing is a violation of the company’s intellectual property rights, and then shut the sites down.
This time, however, Microsoft did not attempt to obtain a court order to block the attackers. The company declined to specify why it did not bring a case. It is only able to bring a case when it has the appropriate geographic jurisdiction or when it believes its intellectual property rights have been violated.
Microsoft did not provide other details about how it attempted to thwart the attacks. Beyond taking down fake domains, the company can alert customers and push out fixes to bugs in corporate software to stop attackers.
Andrew Kolb, communications director for the German Marshall Fund, said he was not surprised that the group was a target of Russia.
“We’ve had a program for the last roughly two years that has focused specifically on authoritarian interference online — and a lot of that has meant looking at Russia,” Kolb said. “We sort of assume we’re going to be subject to these kinds of attacks at any time.”
But Kolb said this was the first time he had been able to directly connect any attacks to a specific Russian group. “It’s a reminder to be aware,” he added.
The Aspen Institute Germany, which is the German affiliate of the Aspen Institute, and the German Council on Foreign Relations, an organization that is distinct from the U.S. Council on Foreign Relations, did not respond to requests for comment. Both organizations have hosted forums where speakers have criticized Russian policy in the United States and Europe.
Microsoft also said Tuesday that it was expanding an initiative to provide enhanced cybersecurity protections free to candidates and campaign offices at the federal, state and local levels that use its Office 365 software, as well as think tanks and political organizations that the company believes are under attack.