https://nyti.

ms/32gAcHa

Russian Intelligence Hackers Are Back, Microsoft Warns,

Aiming at Officials of Both Parties
China is also growing more adept at targeting campaign workers. But contrary to Trump
administration warnings, Beijing is mostly aiming at Biden campaign officials.

By David E. Sanger and Nicole Perlroth

Sept. 10, 2020

The Russian military intelligence unit that attacked the Democratic National Committee
four years ago is back with a series of new, more stealthy hacks aimed at campaign staff
members, consultants and think tanks associated with both Democrats and Republicans.

That warning was issued on Thursday by the Microsoft Corporation, in an assessment

that is far more detailed than any yet made public by American intelligence agencies.

The findings come one day after a government whistle-blower claimed that officials at the
White House and the Department of Homeland Security suppressed intelligence
concerning Russia’s continuing interference because it “made the president look bad,”
and instructed government analysts to instead focus on interference by China and Iran.

Microsoft did find that Chinese and Iranian hackers have been active — but often not in
the way President Trump and his aides have suggested.

Federal officials insisted that the Microsoft report was consistent with their own
warnings, which named Russia, China and Iran as three nations seeking to gather
information from the campaigns, and perhaps try to influence the outcome. But the most
recent assessment by the director of national intelligence, last month, also said China
preferred that former Vice President Joseph R. Biden Jr. win the 2020 election.

The Microsoft assessment may have complicated that finding because it found that
Chinese hackers focused their attacks on the private email accounts of Mr. Biden’s
campaign staff members, along with a range of other prominent people in academia and
the national security establishment, including groups like the Atlantic Council and the
Stimson Center.

Notably, only one of the Chinese targets detected by Microsoft was affiliated with Mr.
Trump, a former administration official whom Microsoft declined to name.
Firms like Microsoft and Google, because they sit atop global networks, have a front-seat
view of suspicious activity, and increasing motivation to make it public to warn their
customers. The result, inevitably, is a tumble of reports from the private sector, which
government intelligence officials will be forced to assess, along with their own findings.

Thea McDonald, the deputy national press secretary for the Trump campaign, said: “We
are a large target, so it is not surprising to see malicious activity directed at the campaign
or our staff. We work closely with our partners, Microsoft and others, to mitigate these
threats.” She would not comment on specific cybersecurity measures the campaign was
taking.

The Biden campaign said that it was “aware of reports from Microsoft that a foreign actor
has made unsuccessful attempts to access the noncampaign email accounts of individuals
affiliated with the campaign,” and that it was preparing for the inevitable onslaught of
attacks in the coming weeks. While the campaign did not confirm the company’s
reporting, it has taken issue with the director of national intelligence’s assessment, issued
several weeks ago, that Chinese leaders prefer Mr. Biden over Mr. Trump.

The Microsoft investigation also concluded that hackers related to Russia’s G.R.U., the
military intelligence unit that oversaw the “hack and leak” efforts in 2016 that made
emails from Hillary Clinton’s campaign public, were going to new lengths to hide their
tracks. They are routing some of the attacks through Tor, a service that conceals the
attackers’ whereabouts and identity, which slowed the effort to identify the hackers.

So far, Microsoft officials said they found no evidence that hacking efforts this year were
successful, but corporate officials noted that they had limited vision into Russia’s overall
operations. They cannot say definitively that no materials were stolen, or what Russia’s
motivations may be. That, they said, was the role of U.S. intelligence officials.

Microsoft’s findings come just two weeks after the director of national intelligence, John
Ratcliffe, declared that he would no longer let intelligence agencies give detailed, in-
person briefings about election interference to Congress. He said the restrictions were
because of leaks.

In a statement, Christopher Krebs, who directs the Cybersecurity and Infrastructure

Security Agency at the Department of Homeland Security, said, “We are aware that
Microsoft detected attempts to compromise email accounts of people and organizations
associated with the upcoming election.”

Mr. Krebs noted that “none are involved in maintaining or operating voting infrastructure
and there was no identified impact on election systems.” He also said that the company’s
“announcement is consistent with earlier statements by the intelligence community on a
range of malicious cyberactivities targeting the 2020 campaign and reinforces that this is
an all-of-nation effort to defend democracy.”
Mr. Krebs, who was a Microsoft executive before joining the Trump administration, said
his agency was releasing on Thursday “guidance for improving cyberdefenses against
account compromise attacks.”

There is no question that Microsoft’s assessment complicates the administration’s

narrative that China is a bigger threat to U.S. elections than Russia, as both the national
security adviser, Robert C. O’Brien, and Attorney General William P. Barr said in
interviews last week.

And hours after his own Treasury Department announced fresh sanctions for election
interference, Mr. Trump seemed to claim Moscow’s involvement was a hoax. “What about
China?” he said at a campaign rally on Thursday night. “What about other countries? It’s
always Russia, Russia, Russia. They’re at it again.”

The report concludes that the Russian military intelligence unit has only accelerated its
attacks, even after a series of financial sanctions, indictments of Russian intelligence
officers and retaliatory cyberstrikes by United States Cyber Command before the 2018
midterm elections.

Microsoft’s researchers concluded that the G.R.U. hacking unit — alternatively known as
Fancy Bear, APT 28 or Strontium to different industry researchers — has been
aggressively hacking the personal email accounts of American politicians, campaigns
staff members and consultants on both sides of the aisle.

In just the two weeks between Aug. 18 and Sept. 3, the group targeted 6,912 email
accounts at 28 organizations, obfuscating the attacks through Tor.

Microsoft’s finding that it is Mr. Biden — not Mr. Trump — whom Chinese hackers are
targeting also complicates a narrative pushed by the White House that China is
interfering in the 2020 election to help the former vice president’s campaign.

While the Biden campaign said it would not comment on the specifics of the Microsoft
findings, it disputed the American intelligence assessment, arguing that China’s
preference in the election was clear: the re-election of Mr. Trump.

“There are very obvious reasons China’s leadership would prefer four more years of
President Trump,” said Antony J. Blinken, Mr. Biden’s longtime foreign policy adviser and
a former deputy secretary of state. “He’s helped China advance its most important
strategic goals: weakening American alliances; leaving a vacuum in the world for China
to fill; giving Beijing a green light to trample human rights in Xinjiang and democracy in
Hong Kong; and debasing our own democracy and so reducing its appeal.”

“He also publicly echoed their propaganda downplaying Covid-19 while privately
admitting how dangerous it was,” he said. “All of this benefits China at the expense of our
nation.”
Currently, there are sharp and telling differences between the Russians and the Chinese.

China’s attack on Mr. Biden’s campaign appears to be an attempt at standard espionage,

similar to its hacking of the presidential candidates John McCain and Barack Obama in
2008, when Chinese spies gained access to internal position papers and emails of top
campaign advisers for both candidates. Microsoft’s findings echo those of Google
researchers last spring, who determined that the same Chinese group was targeting Mr.
Biden’s campaign.

Microsoft also said on Thursday that Iran’s hackers have continued to target Mr. Trump’s
campaign, as the company first warned last October, albeit with limited success.
Microsoft has managed to take control of 155 of the web domains that Iran is using for its
attacks.

But Iran has remained persistent. Between May and June, according to Microsoft
investigators, Iran’s hackers went into overdrive trying to break into the personal email
accounts of Trump administration officials and campaign officials, apparently without
success.

In terms of sophistication, security researchers overwhelmingly say it is Russia’s G.R.U.

hackers who present the gravest threat.

“Multiple cyberespionage actors are targeting organizations associated with the

upcoming election, but we remain most concerned about Russian military intelligence,
who we believe poses the greatest threat to the U.S. democratic process,” said John
Hultquist, the director of intelligence analysis at FireEye, which has worked with both
parties. “The G.R.U. routinely violates international norms and has not been dissuaded
by indictments and other attempts to halt their malicious activity.”

Just before Microsoft’s announcement on Thursday, the Treasury Department announced

new sanctions on three Russians and a member of Ukraine’s Parliament — who was
described as a Russian agent — for their efforts to influence the upcoming election.

“Russia has used a wide range of influence methods and actors to target our electoral
process, including targeting U.S. presidential candidates,” the department said in a
statement.

But the whistle-blower complaint made public on Wednesday, with its allegation that
federal intelligence analysts were told to edit out references to Russian interference, has
put the integrity of the government’s own assessments in doubt. The complaint says that
in May, Mr. O’Brien instructed Chad Wolf, the acting secretary of homeland security, to
stop providing intelligence assessments on the threat of Russian interference and report
instead on China and Iran.
“If that whistle-blower report is true, the people responsible are violating their oath of
office,” said Thomas P. Bossert, Mr. Trump’s first homeland security adviser. “Short of
war, the best way to defeat a foreign influence operation is to expose it publicly. Sanctions
alone aren’t going to stop Putin from messing with U.S. elections.”

Intelligence officials privately warned the White House and lawmakers in February that
Russia was actively working to re-elect Mr. Trump and divide Democrats by supporting
Senator Bernie Sanders of Vermont. The Trump administration has contended that it has
been tough on Russia, despite Mr. Trump’s refusal to criticize President Vladimir V. Putin
and its latest efforts to downplay Moscow’s recent interference.

For two years now, Mr. Trump has been unwilling to lead meetings on election security
related to Russia. In April 2019, The New York Times reported that Kirstjen Nielsen, then
the homeland security secretary, was instructed not to hold meetings in Mr. Trump’s
presence describing the concerns about renewed Russian interference. Ms. Nielsen was
soon forced to resign.

David E. Sanger is a national security correspondent. In a 36-year reporting career for The Times, he has been on
three teams that have won Pulitzer Prizes, most recently in 2017 for international reporting. His newest book is
“The Perfect Weapon: War, Sabotage and Fear in the Cyber Age.” @SangerNYT • Facebook

Nicole Perlroth is a reporter covering cybersecurity and espionage. Before joining The Times in 2011, she
reported on Silicon Valley at Forbes Magazine. @nicoleperlroth
A version of this article appears in print on Sept. 11, 2020, Section A, Page 1 of the New York edition with the headline: Stark Warning About
Hacking Of Both Parties