In August, with less than three months until the 2020 presidential election, the Trump administration abruptly announced that it was ending congressional in-person briefings on election security. Sen. Marco Rubio later told reporters he believed the Senate Intelligence Committee might still receive some briefings, but officials reportedly stopped the House briefings because they felt members of Congress were leaking sensitive information to the public.
That seems surprising, since even leakers have so far provided the public with little concrete information about the security of the upcoming election or any attempts at intrusion or interference. Instead, Microsoft has offered a much more detailed picture of overseas online activity aimed at the election in a blog post published last week by Tom Burt, the tech company’s corporate vice president for customer security and trust.
The Sept. 10 post described three different groups that had targeted political campaigns and parties in the U.S. and European Union, as well as consultants, advocacy groups, and international affairs experts. According to the analysis, one group is based in Russia, one in China, and one in Iran. Those same three countries were cited in August in a statement by William Evanina, the director of the National Counterintelligence and Security Center, as the foreign actors that the U.S. government was most concerned would try to interfere with the 2020 U.S. elections. At the time, Evanina said that the intelligence community believed China and Iran were trying to undermine Trump’s candidacy, while Russia was aiming to undermine Biden’s campaign. But beyond those general motives, his statement offered very little insight into what the government believed each of those countries was actually doing, technologically, besides “spreading disinformation” and “claims about corruption.”
Microsoft, by contrast, offered a significantly more detailed look at the operations of the three different groups it had tracked. Microsoft says that Strontium, the group identified as operating out of Russia, has targeted more than 200 organizations, including political party organizations and their consultants in the U.S. and the U.K., as well as think tanks and advocacy organizations. With the permission of the victims, Microsoft even named a few specific Strontium targets, including the German Marshall Fund in the United States and the European People’s Party. Unlike efforts by this same group during the 2016 election to access accounts associated with political campaigns primarily through spear phishing emails, the more recent activity has involved brute force attacks, in which adversaries attempt to guess users’ passwords by guessing many different possible credentials, and password spray, in which adversaries attempt to compromise multiple different accounts at once with commonly used passwords. Microsoft suggested that these techniques may have allowed Strontium to “automate aspects of their operations” and added that the group has also shifted to rotating between using more than 1,000 different IP addresses, many of them associated with Tor, to make it harder for their actions to be detected and blocked.
Zirconium, the Chinese group Microsoft identified in the post, targeted accounts belonging to people involved with U.S. presidential campaigns, as well as international affairs experts at universities and think tanks, including the Atlantic Council and the Stimson Center. The group has successfully executed almost 150 compromises, Microsoft found, but it was often less ambitious in its aims than Strontium. Instead of trying to access the contents of accounts, the point seemed to be to figure out which ones were being used. Zirconium’s primary mode of compromise involved the use of web beacons—code that identifies when a targeted individual has clicked on a link, establishing that their account is active, but does not necessarily grant access to their credentials or accounts.
Finally, the Phosphorus group operating out of Iran had attempted unsuccessfully to access accounts belonging to members of the Trump administration and campaign, Microsoft reported. It’s not clear how many of the other campaigns were successful, but Microsoft did state that the majority of the attacks by these three groups had been detected and stopped by the company’s security tools.
None of this is surprising. Microsoft paints a picture that is very consistent with what we’ve seen from these three countries online in the past: ambitious attempts to access accounts containing sensitive information from Russia, more measured attempts to conduct less intrusive espionage by China, and less technically sophisticated efforts from Iran. But while the report reveals more or less what we might expect, it’s notable that the most detailed information we have about interference with this election is coming from the private sector.
Undoubtedly, it’s a good thing that private companies like Microsoft are publishing information about election interference, especially since they probably operate infrastructure, including email accounts and cloud storage, for many campaigns—that gives them visibility into attack trends and malicious online traffic patterns. Companies like Microsoft, Google, and Amazon also have excellent security teams, and having those teams help protect campaign officials and associated consultants and advisers is all for the good. But parts of Burt’s post also read a little bit like an advertisement for Microsoft’s services (see, for instance, “At Microsoft … we offer AccountGuard threat monitoring, Microsoft 365 for Campaigns and Election Security Advisors to help secure campaigns and their volunteers”), reminding us that Microsoft’s agenda in publishing this information is not just about informing voters or protecting elections. And while it’s great that tech companies are helping to secure campaign accounts, it’s also a little unsettling that they’ve become our go-to line of defense—and information—for election interference. Especially since, as Burt himself points out, the attacks Microsoft can most effectively monitor and defend against are primarily directed at campaigns, not the actual voting systems and election infrastructure.
Burt closes his post with a plea for Congress to provide more federal funding to protect state elections. But the lack of specific information the government has provided about threats directed at the election is almost as concerning as the lack of resources. Most of the concrete information we have about campaign interference—and most of the solutions on offer—seem to be coming from the private sector right now, but that approach can’t and won’t extend to protecting voting systems and election infrastructure, owned and operated by government officials. So Microsoft’s willingness to step up and share information about these ongoing efforts to interfere with political campaigns is both heartening and, at the same time, a frustrating reminder of how little leadership and transparency the federal government has shown in helping protect elections or even informing voters about potential vulnerabilities and threats.
For more of Slate’s news coverage, subscribe to What Next on Apple Podcasts or listen below.