A new report from Microsoft highlights major cyberattack campaigns that are actively targeting the United States election cycle.
While elections are routinely attractive targets for interference, Microsoft warns that foreign-linked activity groups have intensified their efforts during this cycle.
Microsoft has identified three primary campaigns originating from countries frequently associated with state-backed cyber operations:
- Strontium (Russian) – Microsoft reports this group has targeted more than 200 organisations, including political campaigns, advocacy groups, parties, and political consultants.
- Zirconium (Chinese) – This group has focused on high-profile individuals, including people connected to the Joe Biden campaign and prominent figures in the international affairs community.
- Phosphorus (Iranian) – Microsoft says this Iranian-linked group has targeted the personal accounts of individuals associated with the Donald J. Trump campaign.
Because Microsoft’s products are widely used, the company is often on the front line of detecting and blocking cyberattacks. The company states that most of these attacks were detected and stopped by its security tools, and that targeted or compromised individuals were notified so they could take steps to further protect themselves.
Strontium is the same actor linked to intrusions into the 2016 Democratic presidential campaign that featured in the Mueller report. Microsoft asserts that, as in 2016, Strontium aims to harvest login credentials for intelligence gathering or disruptive operations.
During recent elections in the United Kingdom, a controversial leaked document used by former opposition leader Jeremy Corbyn to argue that the National Health Service was at risk drew scrutiny. Corbyn declined to reveal the source of the documents. A 19-page analysis by Graphika noted that the leak bore similarities to techniques associated with Secondary Infektion, a Russian influence operation.
Microsoft reports that Strontium has evolved since 2016, adopting new reconnaissance tools and techniques to obscure its activity. The group now employs brute-force and password-spray attacks while hiding their origins through more than 1,000 rotating IP addresses, many of which are routed through Tor to anonymize their traffic.
Zirconium, the group Microsoft attributes to China, was linked to approximately 150 compromises between March and September 2020.
Zirconium primarily targets individuals close to U.S. presidential campaigns and actors in the international affairs community.
Microsoft describes Zirconium’s common tactic as creating domains filled with plausible content. When a prospective victim visits such a site, the attackers can determine whether the targeted account is active and worth pursuing further.
Phosphorus, the Iran-linked group, previously faced legal action from Microsoft after the company discovered the group’s efforts to target a U.S. presidential campaign. Microsoft successfully pursued court orders to seize parts of the group’s infrastructure.
Most recently, a federal court in Washington granted Microsoft permission to take control of 25 additional domains tied to Phosphorus. To date, Microsoft has disrupted 155 domains associated with the group.
Evolving campaigns
Beyond election-focused activity, Russian influence operations have increasingly used the COVID-19 pandemic as material to inflame divisions and spread discord.
Lea Gabrielle, coordinator of the U.S. Global Engagement Center, has warned that Russia’s disinformation ecosystem is exploiting global fear of the pandemic to advance strategic priorities.
Social media narratives linked to Russian influence efforts have promoted COVID-19 conspiracy theories—such as claims that 5G causes the virus or that the virus was a U.S. bioweapon targeting China. These tactics echo earlier Soviet-era disinformation campaigns, for example when the KGB spread false claims in the 1980s that AIDS was a CIA-created biological weapon.
One publisher, Natural News, helped amplify the viral “Plandemic” video and republished content from troll networks asserting that the virus is part of a plot to control populations through vaccines. Natural News also circulated debunked claims that wearing masks increases infection risk or causes brain damage by reducing oxygen.
The COVID-19 disinformation effort illustrates how influence operations have matured. Early campaigns often relied on entirely fabricated stories and forged images—such as a false Ebola outbreak in Atlanta in 2016—which proved less effective.
Modern operations are more sophisticated: they exploit pre-existing fears about vaccination, immigration, and climate change and craft messages tailored to different audiences. By telling people what they already believe or fear, these campaigns are more likely to be reshared and to spread organically.
For example, COVID-19 messaging aimed at conservative audiences frames public-health measures as threats to freedom and emphasizes blame toward China. Messaging targeted at left-leaning audiences highlights perceived immorality or incompetence in government responses. Tailoring across the political spectrum amplifies division and undermines trust in institutions.
All of these tactics serve the attackers’ broader objectives: to sow discord, weaken public confidence, and destabilize democratic societies.
Interested in discussions about these topics with industry leaders? Consider attending related technology and security events where experts examine cyber threats, disinformation, and their implications for elections and public policy.