{ "id": "475d44c5-6cbb-4c04-8b38-ffffb635954c", "created_at": "2026-04-06T00:16:25.193233Z", "updated_at": "2026-04-10T03:37:50.76701Z", "deleted_at": null, "sha1_hash": "459353af5d49fe42b1fe61fec5709d6df11c4ce5", "title": "We are taking new steps against broadening threats to democracy - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48328, "plain_text": "We are taking new steps against broadening threats to democracy -\r\nMicrosoft On the Issues\r\nBy Brad Smith\r\nPublished: 2018-08-21 · Archived: 2026-04-02 10:39:17 UTC\r\nIt’s clear that democracies around the world are under attack. Foreign entities are launching cyber strikes to\r\ndisrupt elections and sow discord. Unfortunately, the internet has become an avenue for some governments to steal\r\nand leak information, spread disinformation, and probe and potentially attempt to tamper with voting systems. We\r\nsaw this during the United States general election in 2016, last May during the French presidential election, and\r\nnow in a broadening way as Americans are preparing for the November midterm elections.\r\nBroadening cyberthreats to both U.S. political parties make clear that the tech sector will need to do more to help\r\nprotect the democratic process. Last week, Microsoft’s Digital Crimes Unit (DCU) successfully executed a court\r\norder to disrupt and transfer control of six internet domains created by a group widely associated with the Russian\r\ngovernment and known as Strontium, or alternatively Fancy Bear or APT28. We have now used this approach 12\r\ntimes in two years to shut down 84 fake websites associated with this group. Attackers want their attacks to look\r\nas realistic as possible and they therefore create websites and URLs that look like sites their targeted victims\r\nwould expect to receive email from or visit. The sites involved in last week’s order fit this description.\r\nWe’re concerned that these and other attempts pose security threats to a broadening array of groups connected\r\nwith both American political parties in the run-up to the 2018 elections. That’s why today we are expanding\r\nMicrosoft’s Defending Democracy Program with a new initiative called Microsoft AccountGuard. This initiative\r\nwill provide state-of-the-art cybersecurity protection at no extra cost to all candidates and campaign offices at the\r\nfederal, state and local level, as well as think tanks and political organizations we now believe are under attack.\r\nThe technology is free of charge to candidates, campaigns and related political institutions using Office 365.\r\nAs a special master appointed by a federal judge concluded in the recent court order obtained by DCU, there is\r\n“good cause” to believe that Strontium is “likely to continue” its conduct. In the face of this continuing activity,\r\nwe must work on the assumption that these attacks will broaden further. An effective response will require even\r\nmore work to bring people and expertise together from across governments, political parties, campaigns and the\r\ntech sector.\r\nAn expansion of political targets\r\nLast week’s order transferred control of the six internet domains listed below from Strontium to Microsoft,\r\npreventing Strontium from using them and enabling us to more closely look for evidence of what Strontium\r\nintended to do with the domains. These six domains are listed here:\r\nList of six internet domains that were ordered transferred from Strontium to Microsoft\r\nhttps://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/\r\nPage 1 of 3\n\nImportantly, these domains show a broadening of entities targeted by Strontium’s activities. One appears to mimic\r\nthe domain of the International Republican Institute, which promotes democratic principles and is led by a notable\r\nboard of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the\r\ndomain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among\r\nother important activities. Other domains appear to reference the U.S. Senate but are not specific to particular\r\noffices. To be clear, we currently have no evidence these domains were used in any successful attacks before the\r\nDCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any\r\nplanned attack involving these domains.\r\nMicrosoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to\r\nwork closely with them and other targeted organizations on countering cybersecurity threats to their systems.\r\nWe’ve also been monitoring and addressing domain activity with Senate IT staff the past several months,\r\nfollowing prior attacks we detected on the staffs of two current senators.\r\nDespite last week’s steps, we are concerned by the continued activity targeting these and other sites and directed\r\ntoward elected officials, politicians, political groups and think tanks across the political spectrum in the United\r\nStates. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United\r\nStates and the 2017 election in France.\r\nOur new Microsoft AccountGuard initiative\r\nAccountGuard will provide three services that will cover both organizational and personal email accounts:\r\n1. Threat notification across accounts. The Microsoft Threat Intelligence Center will enable Microsoft to\r\ndetect and provide notification of attacks in a unified way across both organizational and personal email\r\nsystems. For political campaigns and other eligible organizations, when an attack is identified, this will\r\nprovide a more comprehensive view of attacks against campaign staff. When verifiable threats are detected,\r\nMicrosoft will provide personal and expedited recommendations to campaigns and campaign staff to\r\nsecure their systems.\r\n2. Security guidance and ongoing education. Officials, campaigns and related political organizations will\r\nreceive guidance to help make their networks and email systems more secure. This can include applying\r\nmulti-factor authentication, installing the latest security updates and guidance for setting up systems that\r\nensure only those people who need data and documents can access them. AccountGuard will provide\r\nupdated briefings and training to address evolving cyberattack trends.\r\n3. Early adopter opportunities. Microsoft will provide preview releases of new security features on a par\r\nwith the services offered to our large corporate and government account customers.\r\nYou can read a more complete description of Microsoft AccountGuard in today’s blog by Tom Burt, the corporate\r\nvice president who heads Microsoft’s Customer Security and Trust group.\r\nMicrosoft’s Defending Democracy Program\r\nSince we launched Microsoft’s Defending Democracy Program in April, we have focused on four priorities:\r\nprotecting campaigns from hacking, protecting voting and the electoral process, increasing political advertising\r\ntransparency, and defending against disinformation campaigns. In the coming months, we will offer\r\nhttps://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/\r\nPage 2 of 3\n\nAccountGuard in additional countries, as we continue to invest in and evolve other aspects of the Defending\r\nDemocracy Program.\r\nOur Defending Democracy Program is an important piece of our work to protect customers and promote\r\ncyberdiplomacy around the world. While cybersecurity starts with Microsoft and other companies in the tech\r\nsector, it’s ultimately a shared responsibility with customers and governments around the world. Together with our\r\nindustry partners, we’ve launched the Cybersecurity Tech Accord, now endorsed by 44 leading tech companies to\r\nprotect and empower civilians online and to improve the security, stability and resilience of cyberspace. And we\r\nwill continue to call for stronger adherence to existing international norms and the creation of new international\r\nlaws – like a Digital Geneva Convention.\r\nAs last week’s court order and today’s AccountGuard initiative reflect, we are committed not only to stronger\r\nprinciples and laws but stronger action as well.\r\nA democracy requires vigilance\r\nIn 1787, as the American constitutional convention reached its conclusion in Philadelphia, Benjamin Franklin was\r\nasked as he departed Independence Hall what type of government the delegates had created. He famously replied,\r\n“A republic, if you can keep it.”\r\nWe can only keep our democratic societies secure if candidates can run campaigns and voters can go to the polls\r\nuntainted by foreign cyberattacks.\r\nDemocracy requires vigilance and at times action by citizens to protect and maintain it. No individual or company\r\ncan hope to meet this imperative by itself. We all need to do our part. We’re committed to doing our part by\r\nhelping to protect candidates and campaigns in preserving their voices and votes no matter what party they\r\nsupport.\r\nTags: cybersecurity, elections, Microsoft AccountGuard, The Digital Crimes Unit\r\nSource: https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/\r\nhttps://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/" ], "report_names": [ "we-are-taking-new-steps-against-broadening-threats-to-democracy" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434585, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/459353af5d49fe42b1fe61fec5709d6df11c4ce5.pdf", "text": "https://archive.orkl.eu/459353af5d49fe42b1fe61fec5709d6df11c4ce5.txt", "img": "https://archive.orkl.eu/459353af5d49fe42b1fe61fec5709d6df11c4ce5.jpg" } }