{ "id": "64b6a0e2-19e2-4fd6-8ef3-00c2fe6d00e1", "created_at": "2026-04-06T00:17:03.852359Z", "updated_at": "2026-04-10T13:13:07.19671Z", "deleted_at": null, "sha1_hash": "137b64e998919edc3476ff9eba5aa01fd7096dc8", "title": "New cyberattacks targeting U.S. elections  - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49196, "plain_text": "New cyberattacks targeting U.S. elections  - Microsoft On the\r\nIssues\r\nBy Tom Burt\r\nPublished: 2020-09-10 · Archived: 2026-04-05 13:48:52 UTC\r\nIn recent weeks, Microsoft has detected cyberattacks targeting people and organizations involved in the upcoming\r\npresidential election, including unsuccessful attacks on people associated with both the Trump and Biden\r\ncampaigns, as detailed below. We have and will continue to defend our democracy against these attacks through\r\nnotifications of such activity to impacted customers, security features in our products and services, and legal and\r\ntechnical disruptions. The activity we are announcing today makes clear that foreign activity groups have stepped\r\nup their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S.\r\ngovernment and others have reported. We also report here on attacks against other institutions and enterprises\r\nworldwide that reflect similar adversary activity.\r\nWe have observed that:\r\nStrontium, operating from Russia, has attacked more than 200 organizations including political campaigns,\r\nadvocacy groups, parties and political consultants\r\nZirconium, operating from China, has attacked high-profile individuals associated with the election,\r\nincluding people associated with the Joe Biden for President campaign and prominent leaders in the\r\ninternational affairs community\r\nPhosphorus, operating from Iran, has continued to attack the personal accounts of people associated with\r\nthe Donald J. Trump for President campaign\r\nThe majority of these attacks were detected and stopped by security tools built into our products. We have directly\r\nnotified those who were targeted or compromised so they can take action to protect themselves. We are sharing\r\nmore about the details of these attacks today, and where we’ve named impacted customers, we’re doing so with\r\ntheir support.\r\nWhat we’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers\r\nbut also those they consult on key issues. These activities highlight the need for people and organizations involved\r\nin the political process to take advantage of free and low-cost security tools to protect themselves as we get closer\r\nto election day. At Microsoft, for example, we offer AccountGuard threat monitoring, Microsoft 365 for\r\nCampaigns and Election Security Advisors to help secure campaigns and their volunteers. More broadly, these\r\nattacks underscore the continued importance of work underway at the United Nations to protect cyberspace and\r\ninitiatives like the Paris Call for Trust and Security in Cyberspace.\r\nStrontium\r\nStrontium is an activity group operating from Russia whose activities Microsoft has tracked and taken action to\r\ndisrupt on several previous occasions. It was also identified in the Mueller report as the organization primary\r\nhttps://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/\r\nPage 1 of 3\n\nresponsible for the attacks on the Democratic presidential campaign in 2016. Microsoft’s Threat Intelligence\r\nCenter (MSTIC) has observed a series of attacks conducted by Strontium between September 2019 and today.\r\nSimilar to what we observed in 2016, Strontium is launching campaigns to harvest people’s log-in credentials or\r\ncompromise their accounts, presumably to aid in intelligence gathering or disruption operations. Many of\r\nStrontium’s targets in this campaign, which has affected more than 200 organizations in total, are directly or\r\nindirectly affiliated with the upcoming U.S. election as well as political and policy-related organizations in\r\nEurope. These targets include:\r\nU.S.-based consultants serving Republicans and Democrats;\r\nThink tanks such as The German Marshall Fund of the United States and advocacy organizations;\r\nNational and state party organizations in the U.S.; and\r\nThe European People’s Party and political parties in the UK.\r\nOthers that Strontium targeted recently include businesses in the entertainment, hospitality, manufacturing,\r\nfinancial services and physical security industries.\r\nMicrosoft has been monitoring these attacks and notifying targeted customers for several months, but only\r\nrecently reached a point in our investigation where we can attribute the activity to Strontium with high confidence.\r\nMSTIC’s investigation revealed that Strontium has evolved its tactics since the 2016 election to include new\r\nreconnaissance tools and new techniques to obfuscate their operations. In 2016, the group primarily relied on\r\nspear phishing to capture people’s credentials. In recent months, it has engaged in brute force attacks and\r\npassword spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also\r\ndisguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly\r\nrotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure\r\nover time, adding and removing about 20 IPs per day to further mask its activity.\r\nWe are also working with our customers to assist them in proactively hunting for these types of threats in their\r\nenvironments and have published additional detail and guidance on Strontium activity.\r\nZirconium\r\nZirconium, operating from China, has attempted to gain intelligence on organizations associated with the\r\nupcoming U.S. presidential election. We’ve detected thousands of attacks from Zirconium between March 2020\r\nand September 2020 resulting in nearly 150 compromises. Its targets have included individuals in two categories.\r\nFirst, the group is targeting people closely associated with U.S. presidential campaigns and candidates. For\r\nexample, it appears to have indirectly and unsuccessfully targeted the Joe Biden for President campaign through\r\nnon-campaign email accounts belonging to people affiliated with the campaign. The group has also targeted at\r\nleast one prominent individual formerly associated with the Trump Administration.\r\nSecond, the group is targeting prominent individuals in the international affairs community, academics in\r\ninternational affairs from more than 15 universities, and accounts tied to 18 international affairs and policy\r\norganizations including the Atlantic Council and the Stimson Center.\r\nZirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and\r\npopulated with content. The actor then sends the associated URL in either email text or an attachment to a targeted\r\nhttps://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/\r\nPage 2 of 3\n\naccount. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a\r\nuser attempted to access the site. For nation-state actors, this is a simple way to perform reconnaissance on\r\ntargeted accounts to determine if the account is valid or the user is active.\r\nPhosphorus\r\nPhosphorus is an activity group operating from Iran that MSTIC has tracked extensively for several years. The\r\nactor has operated espionage campaigns targeting a wide variety of organizations traditionally tied to geopolitical,\r\neconomic or human rights interests in the Middle East region. Microsoft has previously taken legal action against\r\nPhosphorus’ infrastructure and its efforts late last year to target a U.S. presidential campaign. Last month, as part\r\nof our ongoing efforts to disrupt Phosphorus activity, Microsoft was again given permission by a federal court in\r\nWashington D.C. to take control of 25 new internet domains used by the Phosphorus. Microsoft has since taken\r\ncontrol of these domains. To date, we have used this method to take control of 155 Phosphorus domains.\r\nSince our last disclosure, Phosphorus has attempted to access the personal or work accounts of individuals\r\ninvolved directly or indirectly with the U.S. presidential election. Between May and June 2020, Phosphorus\r\nunsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President\r\ncampaign staff.\r\nBolstering Cybersecurity\r\nWe disclose attacks like these because we believe it’s important the world knows about threats to democratic\r\nprocesses. It is critical that everyone involved in democratic processes around the world, both directly or\r\nindirectly, be aware of these threats and take steps to protect themselves in both their personal and professional\r\ncapacities. We report on nation-state activity to our customers and more broadly when material to the public,\r\nregardless of the actor’s nation-state affiliation. We are taking extra steps to protect customers involved in\r\nelections, government and policymaking. We’ll continue to disclose additional significant activity in our efforts to\r\ndefend democracy.\r\nWe also believe more federal funding is needed in the U.S. so states can better protect their election infrastructure.\r\nWhile the political organizations targeted in attacks from these actors are not those that maintain or operate voting\r\nsystems, this increased activity related to the U.S. electoral process is concerning for the whole ecosystem. We\r\ncontinue to encourage state and local election authorities in the U.S. to harden their operations and prepare for\r\npotential attacks. But as election security experts have noted, additional funding is still needed, especially as\r\nresources are stretched to accommodate the shift in COVID-19-related voting. We encourage Congress to move\r\nforward with additional funding to the states and provide them with what they need to protect the vote and\r\nultimately our democracy.\r\nTags: cyberattacks, cybersecurity, Defending Democracy Program, Election Security Advisors, ElectionGuard,\r\nMicrosoft 365 for Campaigns, MSTIC, security\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" ], "report_names": [ "cyberattacks-us-elections-trump-biden" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e6186dd-9334-4aac-9957-98f022cd3871", "created_at": "2022-10-25T15:50:23.357398Z", "updated_at": "2026-04-10T02:00:05.368552Z", "deleted_at": null, "main_name": "ZIRCONIUM", "aliases": [ "APT31", "Violet Typhoon" ], "source_name": "MITRE:ZIRCONIUM", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "74d9dada-0106-414a-8bb9-b0d527db7756", "created_at": "2025-08-07T02:03:24.69718Z", "updated_at": "2026-04-10T02:00:03.733346Z", "deleted_at": null, "main_name": "BRONZE VINEWOOD", "aliases": [ "APT31 ", "BRONZE EXPRESS ", "Judgment Panda ", "Red Keres", "TA412", "VINEWOOD ", "Violet Typhoon ", "ZIRCONIUM " ], "source_name": "Secureworks:BRONZE VINEWOOD", "tools": [ "DropboxAES RAT", "HanaLoader", "Metasploit", "Mimikatz", "Reverse ICMP shell", "Trochilus" ], "source_id": "Secureworks", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "dc7ee503-9494-4fb6-a678-440c68fd31d8", "created_at": "2022-10-25T16:07:23.349177Z", "updated_at": "2026-04-10T02:00:04.552639Z", "deleted_at": null, "main_name": "APT 31", "aliases": [ "APT 31", "Bronze Vinewood", "G0128", "Judgment Panda", "Red Keres", "RedBravo", "TA412", "Violet Typhoon", "Zirconium" ], "source_name": "ETDA:APT 31", "tools": [ "9002 RAT", "Agent.dhwf", "AngryRebel", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "Farfli", "Gh0st RAT", "Ghost RAT", "GrewApacha", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Kaba", "Korplug", "McRAT", "MdmBot", "Moudour", "Mydoor", "PCRat", "PlugX", "RedDelta", "Roarur", "Sakula", "Sakula RAT", "Sakurel", "SinoChopper", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/137b64e998919edc3476ff9eba5aa01fd7096dc8.pdf", "text": "https://archive.orkl.eu/137b64e998919edc3476ff9eba5aa01fd7096dc8.txt", "img": "https://archive.orkl.eu/137b64e998919edc3476ff9eba5aa01fd7096dc8.jpg" } }