Hackers linked to Russia’s government tried to target the websites of two right-wing U.S. think-tanks, suggesting they were broadening their attacks in the build-up to November elections, Microsoft said.

The software giant said it thwarted the attempts last week by taking control of sites that hackers had designed to mimic the pages of The International Republican Institute and The Hudson Institute. Users were redirected to fake addresses where they were asked to enter usernames and passwords.

There was no immediate comment from Russian authorities, but the Kremlin was expected to address the report later on Tuesday. It has regularly dismissed accusations that it has used hackers to influence U.S. elections and political opinion.

Casting such allegations as part of an anti-Russian campaign designed to justify new sanctions on Russia, it says it wants to improve not worsen ties with Washington.

“We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” Microsoft said in a blog post overnight.

The International Republican Institute has a roster of high-profile Republican board members, including Senator John McCain of Arizona who has criticized U.S. President Donald Trump’s interactions with Russia, and Moscow’s rights record.

The Hudson Institute, another conservative group, has hosted discussions on topics including cybersecurity, according to Microsoft. It has also examined the rise of kleptocracy, especially in Russia and has been critical of the Russian government, the New York Times reported.

“They (the Russians) are pursuing attacks that they perceive in their own national self-interest,” Eric Rosenbach, the director of the Defending Digital Democracy project at Harvard University, told the New York Times.

“It’s about disrupting and diminishing any group that challenges how Putin’s Russia is operating at home and around the world.”

CYBER-TENSIONS

Microsoft’s report comes amid increasing cyber-tensions between Moscow and Washington ahead of the congressional votes in November.

A federal grand jury in the U.S. indicted 12 Russian intelligence officers in July on charges of hacking the computer networks of 2016 Democratic presidential candidate Hillary Clinton and the Democratic Party.

Special Counsel Robert Mueller is investigating Russia’s role in the 2016 election and whether Trump’s campaign team colluded with Russians during the vote. Russia denies meddling in the elections while President Trump has denied any collusion.

Microsoft said its digital crimes unit (DCU) had acted on a court order to take control of six internet domains created by a group known variously as Strontium, Fancy Bear and APT28, which it said was associated with the Russian government.

As well as the two think-tanks, other home pages had been set up to mimic the websites of the U.S. Senate and Microsoft’s own Office software suite, it added.

The type of attack is known as “spear fishing,” in which the hackers trick victims into entering their username and password into the fake site in order to steal their credentials.

“To be clear, we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains,” Microsoft said on the blog.

Facebook said late last month it had removed 32 pages and fake accounts from its platforms in a bid to combat foreign meddling ahead of the U.S. votes.

The company stopped short of identifying the source of the misinformation. But members of Congress who had been briefed by Facebook on the matter said the methodology of the influence campaign suggested Russian involvement.

(Reporting by Brendan O’Brien; Additional reporting by Andrew Osborn in Moscow; Editing by Simon Cameron-Moore and Andrew Heavens)

Def Con, one of the world’s largest security conventions, served as a laboratory for breaking into voting machines on Friday, extending its efforts to identify potential security flaws in technology that may be used in the November U.S. elections.

Hackers will continue to probe the systems over the weekend in a bid to discover new vulnerabilities, which could be turned over to voting machine makers to fix.

The three-day Las Vegas-based “Voting Village” also aimed to expose security issues in digital poll books and memory-card readers.

“We see a lot of value in doing things like this. We think it’s important,” said Jeanette Manfra, assistant secretary of cybersecurity and communications at the U.S. Department of Homeland Security, in an interview.

“The idea is, when we find things here, how do we connect them with the actual vendors and make sure that we are closing this loop back to a coordinated vulnerability disclosure process.”

Def Con held its first voting village last year after U.S. intelligence agencies concluded the Russian government used hacking in its attempt to support Donald Trump’s 2016 candidacy for president. Moscow has denied the allegations.

Organizers have returned ahead of the November elections, in which Democrats hope to take control of the U.S. House of Representatives. Trump’s national security team last week warned that Russia had launched “pervasive” efforts to interfere in the elections.

“These vulnerabilities that will be identified over the course of the next three days would, in an actual election, cause mass chaos,” said Jake Braun, one of the village’s organizers. “They need to be identified and addressed, regardless of the environment in which they are found.”

Participants will have a chance to hack into more than five types of voting machines from manufacturers including Elections Systems & Software and Dominion Voting.

Last year a Danish researcher figured out how to take control of a touchscreen voting system used through 2014 in a remote hack that organizers said could work from up to 1,000 feet away.

A group representing U.S. secretaries of state lauded the goal of bolstering election security, but warned that the findings might be skewed.

“It utilizes a pseudo environment which in no way replicates state election systems, networks or physical security,” the National Association of Secretaries of State said in a statement.

Verified Voting, an advocacy group that helped organise the hacking village, said that some of the voting machine models being tested are still used to tally votes across the United States.

One system, the Dominion Premier/Diebold AccuVote TSx system, is used in 20 states and 23,784 precincts, according to Verified Voting.

Creators of fake accounts and news pages on Facebook are learning from their past mistakes and making themselves harder to track and identify, posing new challenges in preventing the platform from being used for political misinformation, cyber security experts say.

This was apparent as Facebook tried to determine who created pages it said were aimed at sowing dissension among U.S. voters ahead of congressional elections in November. The company said on Tuesday it had removed 32 fake pages and accounts from Facebook and Instagram involved in what it called “coordinated inauthentic behavior.”

While the United States improves its efforts to monitor and root out such intrusions, the intruders keep getting better at it, said cyber security experts interviewed over the past two days.

Ben Nimmo, a senior fellow at the Washington-based Digital Forensic Research Lab, said he had noticed the latest pages used less original language, rather cribbing from copy already on the internet.

“Linguistic mistakes would give them away before, between 2014 and 2017,” Nimmo told Reuters. “In some of these newer cases it seems they’ve caught on to that by writing less (original material) when posting things. With their longer posts sometimes it’s just pirated, copy and pasted from some American website. That makes them less suspicious.”

Facebook’s prior announcement on the topic of fake accounts, in April, directly connected a Russian group known as the Internet Research Agency to a myriad of posts, events and propaganda that were placed on Facebook leading up to the 2016 U.S. presidential election.

This time, Facebook did not identify the source of the misinformation.

“It’s clear that whoever set up these accounts went to much greater lengths to obscure their true identities than the Russian-based Internet Research Agency (IRA) has in the past,” the company said in a blog post, https://newsroom.fb.com/news/2018/07/removing-bad-actors-on-facebook, on Tuesday, announcing the removal of the pages. “Our technical forensics are insufficient to provide high confidence attribution at this time.”

Facebook said it had shared evidence connected to the latest flagged posts with several private sector partners, including the Digital Forensic Research Lab, an organization founded by the Atlantic Council, a Washington think tank.

Facebook also said the use of virtual private networks, internet phone services, and domestic currency to pay for advertisements helped obfuscate the source of the accounts and pages. The perpetrators also used a third party, which Facebook declined to name, to post content.

Facebook declined to comment further, referring back to its blog post.

U.S. President Donald Trump’s top national security aides said on Thursday that Russia is behind “pervasive” attempts to interfere in November’s elections and that they expect attempts by Russia, and others, will continue into the 2020 elections.

They say they are concerned that attempts will be made to foment confusion and anger among various political groups in the United States and cause a distrust of the electoral process.

Two U.S. intelligence officials who requested anonymity told Reuters this week there was insufficient evidence to conclude that Russia was behind the latest Facebook campaign. However, one said “the similarities, aims and methodology relative to the 2016 Russian campaign are quite striking.”

‘PREVIOUS MISTAKES’

Experts who track online disinformation campaigns said the groups who launch such efforts have changed how they post content and create posts.

“These actors are learning from previous mistakes,” said John Kelly, chief executive of social media intelligence firm Graphika, adding they do not use the same internet addresses or pay in foreign currency.

“And as more players in the world learn these dark arts, it’s easier for them to hide among the multiple actors deploying the same playbook,” he said.

Philip Howard, an Oxford University professor of internet studies and director of the Oxford Internet Institute, said that suspicious social media accounts like those taken down this week were once more easily identifiable because they shared the same information from high-profile publications like RT, the Russian English-language news service, or Breitbart News Network.

But now, the content they often share is more diverse and less discernible, coming from lesser known sites, including internet forums that mix political news with other topics, he said.

“The junk news they’re sharing is using better quality images, for example, more believable domains, less-known websites, smaller blogs,” Howard added.

U.S. intelligence agencies have concluded that Russia meddled in the 2016 presidential campaign using tactics including fake Facebook accounts. The Internet Research Agency was one of three Russian companies charged in February by U.S. Special Counsel Robert Mueller with conspiracy to tamper with the 2016 election.

Moscow has denied any election interference.