Microsoft targets copycat influence websites

malware detection (Alexander Yakimov/

Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

The company's President Brad Smith announced Aug. 20 that Microsoft had won a court battle to take ownership of six website domains designed to "look like sites their targeted victims would expect to receive email from or visit." In this case, the targets were conservative think tanks and congressional Republicans, with URLs designed to mimic the International Republican Institute, the Hudson Institute and the U.S. Senate.

Microsoft claims the activity is linked to "Strontium" or Fancy Bear, an advanced persistent threat group associated with the Russian government, although the organization did not indicate what evidence it was relying on to make the assertion. There's no evidence, Smith said, the sites were able to successfully compromise any targets before Microsoft won control in court.

If left unchecked, the websites could have been used to spoof emails to members of Congress or staffers that would appear to be coming from legitimate domains to facilitate spearphishing campaigns and steal login credentials. Smith said that Microsoft has used a similar approach at least 12 times over the past two years to shut down 84 websites.

"In the face of this continuing activity, we must work on the assumption that these attacks will broaden further," wrote Smith. "An effective response will require even more work to bring people and expertise together from across governments, political parties, campaigns and the tech sector."

Microsoft has been trying to gain control of the sites for two years. In court documents, its lawyers filed a complaint on Aug. 13, 2016, alleging violations of the Computer Fraud and Abuse Act to harm Microsoft and its customers.

The complaint alleges that two unknown individuals led the effort "to direct attacks against targeted networks, to infect computing devices connected to those networks that permit Defendants to compromise the security and conduct reconnaissance of and move latterly through those networks, and to locate and exfiltrate sensitive information."

They also accuse the individuals of accessing the computers and networks of Microsoft customers, intercepting communications via Microsoft's Windows operating system, making unauthorized use of Microsoft trademarks, "trespassing" on the computer networks of Microsoft and its customers, intentionally interfering with Microsoft contracts and profiting unjustly from their unauthorized use and access.

Microsoft said it has notified all potentially affected parties and also indicated that it is working with U.S. Senate IT staff "following prior attacks we detected on the staffs of two current senators."

Thomas Rid, a Johns Hopkins professor, political scientist and cybersecurity expert, was one of the first people to forensically trace the 2016 DNC hack to Russia. He questioned whether the activities represented an attempt to influence the upcoming mid-term elections, rather than more routine intelligence gathering and wanted to see stronger evidence linking the hacking group to the websites.

"Microsoft's threat intel team know what they are doing," Rid tweeted. "So, no reason to doubt them. Still, it would be nice to have a little more detail on how they made the link."

The company's actions come less than a month after Facebook announced it had discovered similar coordinated activity across 32 pages, groups and accounts. Earlier this month, media reports identified two Democratic congressional campaigns that were also the subject of hacking campaigns.

Assessments by the U.S. intelligence community and the Senate have stated with high confidence that the Russian government used a far-reaching disinformation campaign to interfere with the 2016 presidential election and further that those campaigns were intended to help the candidacy of now-President Donald Trump.

The conservative think tanks targeted in the alleged campaign aren't closely aligned with President Trump on foreign policy, observers noted.

"Of note -- these conservative think-tanks cater to the old guard of Republican politics," wrote Crispin Burke, a U.S. Army aviator who writes a personal blog about national security and foreign policy issues. "The International Republican Institute, for instance, has members including noted Russia hawks like John McCain, Mitt Romney … and H.R. McMaster."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.