Written by Ryan Duffy

The same Russian hacking group that breached the Democratic National Committee (DNC) also tried to penetrate the campaigns of several candidates running for the midterm elections, a Microsoft executive revealed for the first time Thursday. The disclosure marks the first known case of a foreign government explicitly targeting the 2018 election.

Speaking on an election security panel at the Aspen Security Forum, Tom Burt, vice president for customer security and trust at Microsoft, said there had been three separate attempts to hack 2018 midterm campaigns earlier this year.

Microsoft’s security team, which counts both Republican and Democratic campaigns among its clients, detected a series of spearphishing emails sent to midterm candidates. The emails paralleled similar activity from 2016 previously attributed to Russian hacking group “APT28,” also known as “Fancy Bear.”

Burt declined to name the campaigns but said: “I can tell you that they were all people who, because of their positions, might have been interesting targets from an espionage standpoint as well as from an election standpoint.”

In a statement, DNC spokesperson Xochitl Hinojosa said: “We saw the Russians attack our democracy in 2016 and we know they’re a threat in 2018, 2020 and beyond. Unfortunately, the President refuses to acknowledge this serious threat to our country, and House Republicans are refusing to increase funding for election security. It’s time for this administration and Congress to take action to protect our election systems.”

The Democratic Congressional Campaign Committee (DCCC), Republican National Committee (RNC) and Microsoft did not immediately respond to a request for comment.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” Burt said. “And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the [midterms.]”

Microsoft’s security team, working with the government, thwarted the attackers by taking down their malicious domains. “We were able to avoid anybody being affected by that attack,” Burt said. “They tried, they weren’t successful and the government security teams deserve a lot of the credit.”

Burt said that in the run-up to the 2016 presidential election, his team detected strange activity. A group was registering fake Microsoft domains and using them as command-and-control sites to launch phishing attacks. Burt’s team quickly and successfully took legal action to transfer the domain names to a Microsoft-controlled sinkhole.

After digging in, they discovered that the fake domain names were being registered by APT28, which is associated with the Main Intelligence Directorate (GRU), a Russian military intelligence agency. Microsoft’s name for APT28 is “Strontium.”

Last week, the Department of Justice indicted 12 Russian military officers for their involvement in the hacking of U.S. targets during the 2016 presidential campaign.

Microsoft has been working in close conjunction with other big tech companies to share threat intelligence information, Burt said.

In December, Facebook and Microsoft helped counter an active North Korean cyber operation. Facebook, for their part, deleted accounts associated with the North Korean-linked “Lazarus Group,” while Microsoft disrupted the hackers’ malware, cleaned infected computers and disabled related accounts.

Despite the three campaign attacks that Microsoft observed and repelled, “I would say that the consensus of the threat intel community right now is that we’re not seeing the same level of activity by the Russian activity groups leading into the midterm elections that we could see when we look back in the 2016 elections,” Burt said.

At this point, the Russians don’t appear to be targeting think tanks, academic, and social network, as they had in 2016, Burt said, suggesting that the activity Microsoft observed earlier this year is the exception rather than the norm.