The U.S. company said it was “confident” that attacks targeting employees of organizations including the German Council on Foreign Relations, The Aspen Institute and The German Marshall Fund, originated from a group called Strontium, also known as Fancy Bear or APT 28. Microsoft, which is continuing to investigate the source of the attacks, has previously said the group is widely associated with the Russian government.
The German Council on Foreign Relations was hacked “for a limited time” last year and has since beefed up its digital defenses, said Eva-Maria McCormack, a spokeswoman for the Berlin think tank.
The announcement by Microsoft comes as EU officials are bracing for attempted meddling online by Russia-backed operatives ahead of the bloc’s elections, where far-right parties are set to make gains. Officials are concerned about potential attacks targeting voting technology and those designed to try to manipulate voting behavior.
The attacks “validate the warnings from European leaders about the threat level we should expect to see in Europe this year,” said Tom Burt, corporate vice president at Microsoft, in a blog post Wednesday.
In an attempt to gain access to employee credentials and deliver malware, the attackers created malicious links and spoof email addresses that appeared legitimate and targeted 104 accounts of think tank employees located in Belgium, France, Germany, Poland, Romania and Serbia. The attacks took place between September and December last year, Microsoft said.
“These attacks came as no surprise,” German Marshall Fund President Karen Donfried said in a statement. She said the organization is constantly reviewing and updating its protocols in light of cyber-security developments. The Aspen Institute didn’t immediately respond to a request for comment.
Microsoft last year said it uncovered activity by Strontium attempting to mimic conservative organizations in the U.S., such as the International Republican Institute and the Hudson Institute, in an apparent attempt to disrupt the U.S. Midterm elections.
Cybersecurity firm FireEye Inc. has previously said the hacking group is an intelligence-gathering operator, whose primary mission is to collect information quietly to provide Russian policy makers with insight.
Social media and tech platforms, including Twitter Inc. and Facebook Inc., say they are ramping up efforts to spot potential threats and provide more transparency around who is paying for political ads.
Germany has had its fair share of cyber attacks. Hackers released private data linked to Chancellor Angela Merkel and hundreds of other German politicians in January, in the biggest data dump of this kind in the country.
Hackers also tried to infiltrate computers of think tanks associated with the governing CDU and SPD parties in 2017. A year earlier, scammers set up a fake server in Latvia to flood German lawmakers with phishing emails.
In 2015, attackers breached the network of the Bundestag parliament and stole 16 gigabytes of data. Security firm Trend Micro Inc. has linked the Bundestag attack and others to Pawn Storm -- another alias for Strontium. The Russian government has repeatedly denied it’s hacking foreign powers.
Since 2007 Strontium has targeted government bodies, diplomatic institutions, military forces and installations, journalists and political advisers and organizations, according to Microsoft.