The Russian intelligence agency behind 2016’s election attacks is training its sights on billionaire financier George Soros, The Daily Beast has learned. The move comes hot on the heels of a surge in U.S.-focused hacking by Russia’s Main Intelligence Directorate with similarities to 2016 in targeting and methodology.
Laura Silber, chief communications officer for Soros’ Open Society Foundations, confirmed a hack attempt, but couldn’t identify the culprit or provide additional details over the weekend. “We were aware of an attack,” Silber told the Daily Beast.
Last month Microsoft quietly seized a new batch of 10 deceptive domain names the company says were set up by the hackers known as Fancy Bear, the group intelligence officials and independent analysts have long attributed to Russia’s Main Intelligence Directorate, the GRU. Those web addresses imitate genuine domains used for Microsoft services like Sharepoint, an unmistakable sign that they were intended for use in phishing attacks, in which a victim is tricked into typing their password into a fake login page.
One domain targets a Singapore-based investment firm, and another references the Berlin anti-corruption organization Transparency International, which Russia has targeted before. Others are generic or ambiguous in their targeting. But one seized domain, soros-my-sharepoint[.]com, jumps out as a clear reference to Soros, a past GRU target from Russia’s 2016 election interference.
An additional four phishing domains registered in the same time frame appear to target Soros’ Open Society Foundations, said Kyle Ehmke, an intelligence researcher at the Arlington, Virginia-based cybersecurity firm ThreatConnect. Those domains haven’t been seized and ThreatConnect hasn’t found enough evidence to definitively link them to the Russian hackers, said Ehmke.
The Kremlin’s targeting of Soros and his organization carries echoes of 2016, when the GRU dumped 2,500 files stolen from the Open Society Foundations for the debut of “DC Leaks”, the fake leak site the spies created for their 2016 election interference campaign.
“SOROS INTERNAL FILES – BIG DATA”, the site announced at the time.
Some of the stolen files were reportedly altered to create the appearance that Soros was secretly financing Russian opposition candidates, making the leak politically useful to Vladmir Putin. More importantly, the Soros dump earned DC Leaks instant credibility in American right-wing circles, where the 88-year-old Hungarian-American philanthropist plays the role of villainous global puppet-master in countless conspiracy theories.
Russia’s Internet Research Agency—the so-called “troll farm, later indicted by Special Counsel Robert Mueller—pushed the same trope on its Facebook and Instagram feeds in the run-up to election day. One meme featured a close-up of Soros against a backdrop of anti-Trump picketers. “No lives matter for those who sponsoring [sic] anti Trump protests,” the caption read. Another imagined Soros confronting the late Senator John McCain. “Hey Johnny, I’m paying you a fortune. I don’t care how much cancer you have, get back to DC and backstab Trump.”
The Soros targeting comes in the wave of what one expert describes as a fresh wave of Fancy Bear attempts against political nonprofits in the U.S. that ran from last December to March or April of this year, using similar tactics to the mass phishing campaign that famously ensnared Hillary Clinton’s campaign chief in 2016.
“It’s a similar type of activity to what hit Podesta,” said Robert Johnston, the former Marine Corp captain who investigated the 2016 DNC breach, and now heads the financial cybersecurity firm Adlumin. “These were against political organizations and NGOs. The FBI has reached out to of bunch of them.”
In 2016 Microsoft sued Fancy Bear in federal court in Virginia and won, unopposed, an injunction allowing the company to seize any web addresses registered by the GRU’s hackers that imitate a Microsoft product or service. The company has seized over 100 domains so far.
Experts caution that Russia’s hackers have always cast a wide net, and there’s no way to tell what their motives are in revisiting old haunts now. It may be pure intelligence gathering, or the opening salvo of a 2020 election interference campaign.
“We don't know whether they are ultimately looking to compromise targets for influence operations, internal intelligence uses, or both,” said Ehmke.
Either way, Russia likely views its 2016 efforts as a success, and is certain to try for an encore. “I think you should absolutely anticipate a very vocal Russian interference in the 2020 elections,” said Johnston.