Russian Attacks Hit US-European Think Tank Emails, Says Microsoft

Victor Lauer/

Featured eBooks

Digital First
Cybersecurity & the Road Ahead
Emerging Technology Trends

The same groups that hit the DNC recently targeted prominent think tanks, including one election-monitoring organization

Microsoft has detected a new hacking campaign aimed at European think tanks doing work on election integrity in Europe.

“At Microsoft, we’ve seen recent activity targeting democratic institutions in Europe as part of the work our Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) carry out every day to protect all of our customers,” company officials said in a blog post Wednesday.

Hackers from the Russian group Strontium—also known as Fancy Bear and APT28, and affiliated with the Russian military intelligence service, or GRU—sent phishing emails to employees working on election monitoring and tracking political disinformation campaigns at the German Marshall Fund, the Aspen Institute, and the German Council on Foreign Relations to trick recipients into clicking on links and potentially losing data and sensitive information, Microsoft said. All told, they attacked 104 email addresses across Belgium, France, Germany, Poland, Romania and Serbia.

“These attacks came as no surprise,” said Karen Donfried, president of the German Marshall Fund, in a statement Tuesday. "Everything we do as an organization, from our policy research to our work strengthening civil society, is dedicated to advancing and protecting democratic values. The announcement serves as a reminder that the assault on these values is real and relentless.”

Donfreid said her organization would work with Microsoft to mitigate security breaches, and that attacks reinforce that organizations like think tanks, not just candidates and campaigns, must be aware of “malign forces, including sophisticated state actors.”

“With European parliamentary elections this spring and American presidential elections next year, it is more important than ever that we be vigilant to protect our democracies from foreign interference, including online,” she said.  

Microsoft’s report follows the Democratic National Committee, or DNC, stating in January that it had again been targeted by Cozy Bear, another group associated with the Russian FSB intelligence service that helped Fancy Bear attack the DNC in 2016.

In 2017, Microsoft began challenging the Russian tactic by suing to legally seize control of the false internet domains.

Last summer, Microsoft caught the Fancy Bear group setting up phony domains purporting to be legitimate political organizations and intending to trick phishing victims into clicking on malicious links. The organizations targeted in 2018 included the conservative Hudson Institute as well as the International Republican Institute, or IRI, a quasi-governmental organization that conducts election monitoring.

Microsoft has used legal domain squatting challenges 12 times to shut down 84 fake Fancy Bear websites.