Strontium, Phosphorus, Zirconium... the explosive elements hacking into US politics

“The activity we are announcing today makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election,” Microsoft said in a post on its website that had the US cyber security community rushing to reassure Americans and others that none of the three hacking groups had yet impacted on election systems. “It is important to highlight that none are involved in maintaining or operating voting infrastructure and there was no identified impact on election systems,” insisted Christopher Krebs, the US Department of Homeland Security’s top cyber official. But Krebs’s reassurances aside, many within the US political community are already nervous of what might be yet to come and the effects of hacking on the November 3 ballot, widely seen as one of the most consequential US presidential elections in decades.

Only making matters worse, Microsoft’s announcement came barely days after a whisteblower at the White House and the Department of Homeland Security claimed that Chad Wolf, the department’s acting secretary, told him to stop intelligence assessments of Russian attempts to influence the 2016 election because it “made the president look bad”. The whistleblower also claimed that Wolf had told him to focus instead on similar efforts by China and Iran, an order that apparently came directly from the White House.

Microsoft’s assessment also comes a fortnight after US Director of National Intelligence John Ratcliffe said he would no longer let intelligence agencies give in-person briefings on election interference in Congress, citing concerns about leaks.

Last week, the US Treasury Department also sanctioned four people accused of trying to interfere in the election on behalf of Russia. One is a member of the Ukrainian parliament, while the other three are Russian nationals employed by Russia’s Internet Research Agency, also known as Glavset.

If all this sounds familiar then that’s because we have been here before, given that it was the same agency that was heavily involved in Moscow’s influence campaign involving “hack and leak” during the 2016 US presidential election. Back then Russian hackers stole and leaked thousands of emails from the Democratic National Committee and Hillary Clinton’s campaign. Even before that now infamous 2016 election there were precedents when China hacked the campaigns of Barack Obama and John McCain in 2008. Then in 2012, foreign and domestic hackers tried to gain access to the campaign networks of Obama and Mitt Romney.

In the intervening years since 2016, US government agencies like the Cybersecurity and Infrastructure Security Agency and the FBI have stepped up efforts to protect elections from hackers and online disinformation, but likewise the hackers themselves have become ever more sophisticated and cunning. So just who then is behind the latest hacking, what have their targets been and what might they hope to achieve?

According to the Microsoft investigation, the same Russian GRU military intelligence unit that carried out the 2016 hacks is also behind the latest attacks. These efforts included the Kremlin-aligned hacking group Strontium, also known as Fancy Bear, who have targeted more than 200 organisations, political campaigns and parties over the past year.

These include the US-based consultants for the Democratic and Republican parties, think tanks such as the German Marshall Fund, the Stimson Centre that promotes international co-operation and political parties in the United Kingdom. Back in 2017, Microsoft resorted to legal action against Strontium, with a US federal court ordering the group to stop targeting Microsoft customers and using the company’s logos in malicious email phishing campaigns.

READ MORE: Scotland Office has ‘something to hide’ over Donald Trump meeting

“Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations,” wrote Tom Burt, corporate vice-president of customer security and trust at Microsoft in last week’s blog post announcing the latest hacking. “In 2016, the group primarily relied on spear phishing to capture people’s credentials. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations,” Burt went on to explain.

The methods being used by the Russians are far more sophisticated than they were four years ago and include complex efforts to hide their digital tracks. Microsoft detailed how Strontium were now routing some of their attacks through Tor, a service that conceals the attackers’ whereabouts and identity, which slowed the effort to identify the hackers. They have also been covering up their tracks by rotating through 1000 different IP addresses, and adding about 20 new ones each day, Microsoft found. So far, Microsoft officials said they found no evidence that hacking efforts this year were successful, but corporate officials cited by The New York Times noted that they had limited vision into Russia’s overall operations.

They cannot say definitively whether materials were stolen, or what Russia’s motivations may be. That, Microsoft said, was the role of US intelligence officials, though it did call on Congress to approve more funding to protect against election interference.

But analysts say that irrespective of whoever ends up in the White House, elections offer rich pickings for spies.

“Parties and campaigns are good sources of intelligence on future policy,” said John Hultquist, an analyst at cyber security company FireEye, speaking to Reuters news agency last week as the Microsoft assessment went public.

Faced with such intelligence leaks, the US Congress to date has appropriated more than $800 million for election security since 2018, but election security experts have insisted that additional funding is still needed given that resources they say are now stretched to accommodate the shift in Covid-19 related voting. ACCORDING to the American political news website The Hill, several key members of Congress have reacted angrily to reports of the latest attempted cyber attacks.

“We’ve said it all along: Russia will be back ... we need to be prepared,” tweeted Mark Warner, the top Democrat on the Senate Intelligence Committee, a panel that conducted a bipartisan years-long investigation into Russian interference during the 2016 presidential election. One of his Republican counterparts on the committee was more blunt in his assessment about both Russian and Chinese hackers. “In Beijing, Chairman Xi wants Biden to win; in Moscow, Vladimir Putin wants Trump to win; both of these miserable SOBs have the same goal of turning Americans against each other,” Senator Ben Sasse was quoted by The Hill as saying. “The United States needs to make it clear that China and Russia will face severe consequences for hacks and disinformation campaigns. Chinese communists and Russian oligarchs don’t get to vote in America’s elections,” Sasse added. The Republican senator’s assertion that Beijing is behind Biden and Moscow behind Trump remains, however, a subject of some debate and conjecture. Last month, William Evanina, director of the US National Counterintelligence and Security centre, said that the Russian operatives were attempting to undermine Biden in the run-up to the election, while China and Iran preferred to damage Trump’s chances of remaining in the White House. But Microsoft’s latest assessment would appear to fly a little in the face of this depiction of Beijing’s role. The Chinese hacking group known as Zirconium, or APT31, has also attacked the non-campaign email accounts of high-profile people in Biden’s campaign, plus at least one prominent person formerly associated with the Trump administration, Microsoft said. However, Biden’s campaign team insist they anticipated this. “We have known from the beginning of our campaign that we would be subject to such attacks, and we are prepared for them,” a statement released by the Biden campaign said last Thursday. “Biden for President takes cyber security seriously, and will remain vigilant against these threats, and will ensure that the campaign’s assets are secured,” the statement added. Unlike the hacking efforts by Russians, the hackers in China are using known bugs on websites and targeting specific individuals for its attacks, Microsoft said. For his part, Trump and his supporters continue to happily push an alternative message, insisting that the Chinese are trying to help Biden. They say Beijing would like to see a Biden victory because he would be weak in standing up to China. Some US intelligence officials dismiss such claims, saying the real reason is because Beijing sees Trump as “unpredictable”. For their, part Moscow and Beijing – as might be expected – have denied the hacking allegations. China’s foreign affairs ministry spokesman Zhao Lijian said that China has no interest in the US election and has never interfered in it.

The US was an “empire of hackers”, he said at a daily news briefing in Beijing last week. Russian Embassy press Secretary in Washington Nikolay Lakhonin also pushed back on the allegations, saying Americans had been discussing “so-called ‘interference’” for years without presenting what he described as “factual evidence”. But as if the likes of Strontium, and Zirconium were not enough for US officials to contend with, enter Phosphorus, an Iranian hacker group often called by its other curious name Charming Kitten. Between May and June the Iranian hackers have been trying to access accounts belonging to Trump’s campaign staff, as well as accounts belonging to Trump administration officials, according to Microsoft. It says that having obtained a federal courts permission to take control of 25 new internet domains the Iranians were using, it has for now managed to block the majority of the attacks. Far and away, though, say current and former intelligence officials and industry analysts, Russia is the adversary with the intent and capability to cause the most significant potential disruption to the election. “People should be very nervous about the size and scope of Russia’s operation,” says US Senator Chris Murphy, a Democrat who is urging the current administration to declassify a key report detailing the intelligence community’s current knowledge of Russian interference, while protecting sources and methods.

“I am certain that there are major elements that can be declassified without compromising sources and methods,” Murphy was quoted by The Washington Post last week as saying. He says such information would provide Americans with “very important detail about the variety of ways that the Russians are attempting to manipulate the election”.

Murphy told the Post that he himself had seen the intelligence that goes into detail about “the stories that the Russians are trying to tell about Joe Biden”. “Voters will be very interested to find out how those stories match up with information that’s coming out of certain corridors of the United States Capitol,” the senator was quoted as saying. But right now few are holding their breath in the belief that such details will be made public anytime soon, if ever. For those tasked with overseeing US election security as the clock ticks down, some say they worry less about hacking in the elections than about the widespread dissemination of misinformation and the election logistics, such as a shortage of poll workers and slowdowns at the US postal service.

Disinformation on issues like these could play a crucial role in creating disruption in a ballot that is already shaping up to be a bitter and polarising one in sections of US society. If there is one thing, however, most ordinary Americans agree on right now it’s that outside interference in the election is a given. According to a recent survey by the think tank Pew Research Centre, three quarters of US adults said it is very or somewhat likely that Russia or other foreign governments will attempt to influence the battle for the White House. Their confidence, too, in the federal government to prevent election interference by foreign governments has diminished, the survey also showed.

If Microsoft’s latest assessment is anything to go by, then American citizens’ fears are clearly justified. Strontium, Phosphorus, Zirconium are more than likely to continue working overtime at least until November 3.