Microsoft notes that it has "no evidence" to indicate the domains were used in any successful attacks, or to conclusively determine their ultimate object.
"In this particular instance we believe we were able to act quickly enough that these specific sites were not used successfully," Brad Smith, Microsoft's president and chief legal officer, tells NPR. He adds that the latest activity "clearly suggests" that the hacker group is focusing on conservative organizations.
Elizabeth Dwoskin of The Washington Post explains why the starkly similar domain names are significant — and why Microsoft has a vested interest in shutting them down.
"Remember, Microsoft is managing one of the largest corporate email programs in the world," she tells NPR. "When you open up your email and you click on a link — you think it's an email from a trusted person, and then you're taken to a website that is loaded up with malware and it's going to take your credentials."
The hackers sent emails to board members or think tank employees that notified them of a problem with their email account and directed them to bogus websites, according to Smith.
"When they get to this site they see, typically, a page that looks just like a page of their employer, where they work, they're asked to enter their password and then their credentials are harvested, so to speak," he says.
Microsoft says that "these domains show a broadening of entities targeted by Strontium's activities" — and adds that the attacks are neither the first nor likely to be the last to be launched by the hacking group. The company says that in just the past two years, it has shut down 84 such fake websites.
"Despite last week's steps, we are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States," Microsoft says. "Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France."
That's a sentiment echoed by one of the most recent apparent targets, the IRI, which is chaired by sitting U.S. Sen. Dan Sullivan, R-Alaska.
"This apparent spear-phishing attempt against the International Republican Institute and other organizations is consistent with the campaign of meddling that the Kremlin has waged against organizations that support democracy and human rights," the group's president, Daniel Twining, tells The Washington Post. "It is clearly designed to sow confusion, conflict and fear among those who criticize Mr. Putin's authoritarian regime."
The Kremlin has denied the allegations, according to the Russian news agency Interfax. It cites an unnamed diplomatic source who reportedly dismissed the claims as Microsoft simply "playing political games": "The elections have not happened yet," the diplomat says, "but there are already allegations."
The U.S. intelligence community has concluded that Russian interference in the 2016 election was aimed at boosting Donald Trump's bid for the presidency. Just last month the Justice Department charged 12 Russian intelligence officers, members of the GRU, with leveling a massive cyberattack against Democratic Party targets during the 2016 campaign, including the hack of the DNC's network.
President Trump, for his part, has offered shifting accounts of how he views the Russian activity, at times downplaying these cyberattacks and the prospect of their recurrence, while at others pledging to "counteract it very strongly." Occasionally those shifts have come within a matter of hours.
Lawmakers and members of Trump's own administration, however, have offered more concrete assessments.
"We are not yet seeing the kind of electoral interference in specific states and voter databases that we experienced in 2016," Director of National Intelligence Dan Coats said last month. "However, we fully realize that we are just one click of the keyboard away from a similar situation repeating itself."
Microsoft's 'Interesting Business Play'
As for Microsoft, the company announced new initiatives and new partnerships to prevent the kinds of attacks seen in 2016 from resurfacing.
The company used its blog post announcing last week's court-ordered maneuver to introduce a new program called AccountGuard, which it says will provide "cybersecurity protection at no extra cost to all candidates and campaign offices at the federal, state and local level, as well as think tanks and political organizations we now believe are under attack."
In an interview with KQED, The Washington Post's Dwoskin noted a contrast with Microsoft's counterparts in Silicon Valley.
"It's kind of an interesting business play," she says. "[These new free cybersecurity protection services], made me think about Google and Gmail and how you haven't heard this kind of thing from Google, whose employees, we know, were protesting government contracts not too long ago. Ever since Microsoft's huge antitrust case in the '90s, they've tried to have a closer relationship with government than their Silicon Valley counterparts."
Microsoft's Smith says Russian cyberattacks in 2016 "have been even broader than we first thought. That's across the tech sector, that's across this country."