Cyber Incident Victim: The German Marshall Fund of the United States
Date:
Sep 2019
Location:
United States of America
Summary
The German Marshall Fund of the United States was among over 200 organizations targeted by Strontium, a Russian state-aligned actor, in credential harvesting campaigns aimed at political and policy-related entities. The group employed brute force attacks, password sprays, and over 1,000 rotating IP addresses—often linked to Tor—to obfuscate operations while targeting U.S. political consultants, think tanks, and European political parties. Microsoft detected and disrupted most attacks, attributing the activity to intelligence gathering or potential disruption efforts. The incident reflected broader adversarial targeting of election-related organizations, with compromised accounts likely enabling unauthorized access to sensitive information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 3 actors | Available to members | Available to members |
Description
Between September 2019 and September 2020, the Russian state-sponsored threat actor Strontium (also identified in the Mueller Report as responsible for 2016 election interference) conducted a sustained cyber campaign targeting over 200 organizations globally. The German Marshall Fund of the United States, a Washington-based think tank focused on international affairs, was among the entities compromised in this operation. Strontium employed evolving tactics including brute force attacks, password spraying, and credential harvesting techniques to infiltrate accounts. Attack infrastructure utilized over 1,000 rotating IP addresses, many routed through Tor anonymity networks, to obscure operations. Targets included U.S. political consultants serving both major parties, national/state political organizations, European political parties, and policy-oriented institutions like The German Marshall Fund. Microsoft's Threat Intelligence Center (MSTIC) observed these activities for months before achieving high-confidence attribution to Strontium. The group expanded beyond traditional spear-phishing to automate attacks, updating approximately 20 IP addresses daily to evade detection. While the exact intrusion vector against The German Marshall Fund wasn't detailed, its inclusion among targeted think tanks and advocacy groups indicates compromise attempts consistent with Strontium's broader intelligence-gathering objectives related to geopolitical influence operations.
Microsoft detected and disrupted most attacks through built-in security features in its products, notifying affected organizations including The German Marshall Fund. The campaign's primary impact involved unauthorized access attempts against accounts holding sensitive political and policy-related information. Strontium's operations against think tanks aimed to harvest credentials for persistent intelligence collection ahead of the 2020 U.S. election. Microsoft executed legal and technical countermeasures by seizing control of malicious domains and infrastructure. The company provided targeted customers with threat intelligence through its AccountGuard service and published technical guidance on Strontium's tradecraft. No specific data exfiltration or operational disruption at The German Marshall Fund was disclosed, though the attempted compromises necessitated defensive measures by the organization. Microsoft's federal court actions in Washington D.C. enabled takedowns of malicious infrastructure used in related campaigns. The incident highlighted continued targeting of policy institutions as secondary vectors in election-focused cyber operations.