Microsoft Corp. said Tuesday that it executed a court order to shut down six websites created by a group tied to Russian intelligence that sought to spoof conservative U.S. institutions, the U.S. Senate and Microsoft itself.
The fake sites were intended to trick users into thinking they were clicking on sites run by the Hudson Institute, a conservative Washington think tank, and the International Republican Institute, a nonprofit pro-democracy group whose board includes numerous prominent Republican figures, including Sen. John McCain, R-Ariz., and former Republican National Committee Chairman Frank Fahrenkopf.
Microsoft released the report at midnight, and neither institute answered telephone calls seeking comment. The FBI said it had no immediate comment on the Microsoft order or whether it might be connected to the Justice Department's investigation of alleged Russian hacking.
Other sites appeared to spoof the U.S. Senate, and one posed as a site for Microsoft's Office software program, Microsoft said, which said its Digital Crimes Unit intercepted the sites before they were "used in any successful attacks."
Microsoft said it has now gone to court to win control of suspicious web domains 12 times in two years "to shut down 84 fake websites associated with this group," which is variously known as Strontium, Fancy Bear and APT28.
In a memorandum in support of its most recent motion, Microsoft said the group sought to "establish a command and control infrastructure by which means Defendants conduct illegal activities, including attacks on computers and networks, monitoring of the activities of users, and the theft of information."
Under the name Fancy Bear, the group was named in special counsel Robert Mueller's indictment of 12 Russian intelligence officials last month for alleged interference in the 2016 presidential election. The indictment specifically said the group comprises two units of the main Russian foreign intelligence service, formerly known as the GRU.
The seized domains are my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services and adfs-senate.email, along with office365-onedrive.com, Microsoft said in a blog post attributed to its president, Brad Smith.
In its blog post, Microsoft said: "Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit," it said. "The sites involved in last week's order fit this description."
It warned that these domains show a "broadening of entities" targeted by the group and will require the tech sector "to do more to help protect the democratic process."
"Despite last week's steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States," Microsoft said.
"Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."
Microsoft said last month that the campaigns of three political candidates in this year's midterm elections were targeted in phishing attacks. It declined to identify the candidates or say who it believed was behind the attacks.
But Sen. Claire McCaskill, D-Mo., alleged last month that Russian hackers unsuccessfully tried to gain access to her office's computer network, one of the first public acknowledgments of a cyberattack tied to the midterm elections.