Hacking groups from Russia, China and Iran are intensifying their efforts to break into a large variety of user accounts associated with political and human rights organisations, and businesses in the United States and the United Kingdom, Microsoft security monitoring has found.
The attacks come ahead of the US elections, and Microsoft is urging organisations and targeted individuals to enable multi-factor authentication for accounts, which thwarts the vast majority of credential harvesting attempts.
Despite the proven efficacy of MFA – Google stated last year that no accounts using hardware keys for its services have been hijacked – Microsoft found uptake of the security measure below ten per cent in the enterprise accounts it monitors.
Without broader adoption of MFA, Microsoft said there’s little reason for attackers to evolve beyond their current tactics for obtaining access to accounts.
On top of enabling MFA, Microsoft advised organisations to actively monitor failed log in attempts and to test their resilience with simulated phishing and password attacks on users.
Russia, China and Iran implicated
Three state-sponsored threat actors were singled out by Microsoft.
Strontium which operates from Russia and has attacked over 200 organisations over the past few years, including the hacks on the US Democratic Party presidential campaign in 2016 that saw emails being taken by the threat actors.
Recently, Strontium has targeted US political consultants working for both the Republicans and Democrats, as well as think tanks and national and state party organisations, Microsoft Threat Intelligence Centre said.
The group has also attacked the European People’s Party, a Christian-democratic conservative party founded by former Polish prime minister Donald Tusk.
UK political parties have been targetted by Strontium, which has also gone after businesses in the hospitality, manufacturing, financial services and physical security sectors.
Strontium appears to have mostly abandoned targeted “spearphishing” of specific accounts in favour of large-scale brute force and password spraying attacks.
The attacks are conducted via a pool of over 1200 internet protocol addresses spread across five different netblocks in the US, Germany and Austria.
Most of these use the US Navy developed The Onion Router (TOR) anonymising service to evade tracking and attribution, Microsoft said.
Strontium’s password-spraying attacks can last for days and weeks, with four attempts per account at trying username/password combinations an hour on average.
Brute force attacks on the other hand by Strontium can result in around 300 authentication attemps per hour and account over several hours or days.
People associated with Democratic presidential candidate Joe Biden and prominent international affairs leaders have been targetted by Chinese hacking group Zirconium, Microsoft’s head of customer security and trust Tom Burt said.
One former member of the Trump Administration has also been attacked by Zirconium, which between March and September this year managed to break into nearly 150 accounts, Microsoft said.
Zirconium uses “web beacons” which are links to domains that they control, to targetted users.
While the domains themselves might not carry malicious content, users that click on the links notify Zirconium that their accounts are valid.
Iran’s Phosphorus group is also ramping up actitivities, and between May and June this year tried to access US government accounts, and others associated with Donald Trump’s presidential election campaign.
Phosphorus did not succeed in logging into the accounts and Microsoft obtained a court order in August to take control of 25 domains registered by the group.
Over the years, Microsoft has seized 155 domains that were part of Phosphorus’ digital infrastructure.