{ "Event": { "analysis": "2", "date": "2018-08-21", "extends_uuid": "", "info": "OSINT - Microsoft Disrupts APT28 Hacking Campaign Aimed at US Midterm Elections", "publish_timestamp": "1535013049", "published": true, "threat_level_id": "3", "timestamp": "1534929537", "uuid": "5b7d1f89-9148-4961-b56f-9168950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:microsoft-activity-group=\"STRONTIUM\"" }, { "colour": "#12e000", "name": "misp-galaxy:threat-actor=\"Sofacy\"" }, { "colour": "#0088cc", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT28\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534926911", "to_ids": false, "type": "link", "uuid": "5b7d202d-a748-4e91-aed4-916a950d210f", "value": "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534926902", "to_ids": false, "type": "link", "uuid": "5b7d202d-9548-48f3-a247-916a950d210f", "value": "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534927744", "to_ids": false, "type": "text", "uuid": "5b7d2380-a91c-43fe-99c2-9161950d210f", "value": "Last week\u00e2\u20ac\u2122s order transferred control of the six internet domains listed below from Strontium to Microsoft, preventing Strontium from using them and enabling us to more closely look for evidence of what Strontium intended to do with the domains.\r\n\r\nImportantly, these domains show a broadening of entities targeted by Strontium\u00e2\u20ac\u2122s activities. One appears to mimic the domain of the International Republican Institute, which promotes democratic principles and is led by a notable board of directors, including six Republican senators and a leading senatorial candidate. Another is similar to the domain used by the Hudson Institute, which hosts prominent discussions on topics including cybersecurity, among other important activities. Other domains appear to reference the U.S. Senate but are not specific to particular offices. To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains.\r\n\r\nMicrosoft has notified both nonprofit organizations. Both have responded quickly, and Microsoft will continue to work closely with them and other targeted organizations on countering cybersecurity threats to their systems. We\u00e2\u20ac\u2122ve also been monitoring and addressing domain activity with Senate IT staff the past several months, following prior attacks we detected on the staffs of two current senators.\r\n\r\nDespite last week\u00e2\u20ac\u2122s steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States. Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France." }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534928974", "to_ids": true, "type": "domain", "uuid": "5b7d284e-80ec-48a2-9af3-9161950d210f", "value": "my-iri.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534928975", "to_ids": true, "type": "domain", "uuid": "5b7d284f-d934-4a8a-87e2-9161950d210f", "value": "hudsonorg-my-sharepoint.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534928975", "to_ids": true, "type": "domain", "uuid": "5b7d284f-8764-4eac-8008-9161950d210f", "value": "senate.group" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534928976", "to_ids": true, "type": "domain", "uuid": "5b7d2850-a04c-478e-a4b3-9161950d210f", "value": "adfs-senate.services" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534928976", "to_ids": true, "type": "domain", "uuid": "5b7d2850-fc14-46be-926c-9161950d210f", "value": "adfs-senate.email" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1534928977", "to_ids": true, "type": "domain", "uuid": "5b7d2851-c208-4c1c-9c8a-9161950d210f", "value": "office365-onedrive.com" } ] } }