Future Tense

Microsoft Blames Russia-Linked Hacking Group for Cyberattack

Microsoft says a cyberattack group linked to Russia exploited a vulnerability in Windows.

Patrick Lux/Getty Images

On Tuesday, Microsoft alleged that a hacking group previously linked to the cyberattack on the Democratic National Committee has exploited a security flaw in Adobe’s Flash Player and Microsoft’s Windows operating system.* In a blog post, Windows Executive Vice President Terry Myerson said that the group, which Microsoft codenamed STRONTIUM, used the vulnerability to conduct a “low-volume spear-phishing campaign,” or attacks targeted at individuals.

STRONTIUM is also known as Fancy Bear, Sednit, APT28, and Sofacy. Microsoft says that a patch for the flaw will be publicly released Nov. 8—Election Day. According to Reuters, Fancy Bear primarily works for or on behalf of the GRU, which is Russia’s military intelligence agency.


The day before Myerson’s announcement, Google revealed the security flaw in Microsoft’s network, calling the vulnerability “particularly serious because we know it is being actively exploited.” In the post, Google’s threat analysis group reported that it had discovered and reported the zero-day vulnerability (a previously publicly unknown security flaw) to Adobe and Microsoft on Oct. 21, and had given the company seven days to address it. Adobe updated Flash on Oct. 26, but when Windows failed to address its vulnerability after the allotted time, Google publicly disclosed it.


Microsoft criticized Google for disclosing the attack before it had time to create a fix. In his post, Myerson wrote:

We believe responsible technology industry participation puts the customer first, and requires coordinated vulnerability disclosure. Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk.


According to Microsoft’s security intelligence report, STRONTIUM has been active since at least 2007 and has previously targeted government bodies, diplomatic institutions, and NATO military forces and installations. It first identifies targets within a group and then repeatedly conducts spear-phishing attempts to steal login information. When one succeeds, the malware can be installed, giving STRONTIUM access to sensitive information within the network.

The Obama administration officially accused Russia in October of attempting to interfere with the U.S. election, including by hacking into the computers of the Democratic National Committee and the Democratic Congressional Campaign Committee as well as the email accounts of former secretary of state Colin Powell and some Hillary Clinton aides. Hours after the government’s accusation, WikiLeaks began publishing leaked emails from Hillary Clinton campaign chairman John Podesta, which also included excerpts from Clinton’s paid speeches to Wall Street banks.

Russia has denied responsibility for the attacks.

*Correction, Nov. 2, 2016: This article originally stated incorrectly that Microsoft owns Adobe Flash. It does not.