Cyber activity originating in Iran and targeting entities across the United States "spiked" after the Trump administration announced its withdrawal from the nuclear deal last May, Tom Burt, Microsoft's senior vice president of customer security and trust, said on Friday.
Speaking at an election security panel at the Aspen Security Forum in Colorado, Burt said the company saw "an incredible increase, a spike in activity, once the United States announced it was withdrawing from the nuclear treaty."
Burt specified that the Iran-based actors' cyber activity was not necessarily politically focused and "largely" targeted oil and gas organizations.
Earlier in the week, Microsoft published a blog post that said it had notified nearly 10,000 of its customers – which included businesses and consumer email accounts – that they had been targeted by nation-state attacks that originated, in order of volume, from Iran, North Korea and Russia.
"While many of these attacks are unrelated to the democratic process, this data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics or achieve other objectives," the post said.
The post also announced the demonstration, at the Aspen Security Forum, of a free open-source software system called ElectionGuard that the company said was designed to enhance voting security.
In his Friday remarks, Burt also said Microsoft had seen a "significant increase in activity" from North Korea as nuclear negotiations between Pyongyang and Washington were ongoing. He added that while the company had seen some activity originating from China, "we don't see them [being] as active" as other countries, by volume.
In its blog post, Microsoft said it had issued 781 notifications to customers using its AccountGuard service, which warns political and "democracy-focused" organizations worldwide about targeted cyber attacks – and that 95% of those attacks targeted U.S.-based organizations that were closely associated with the electoral process.
The slight majority of those attacks, too, Burt said, were perpetrated by Iran-based actors, followed, by volume, by Russia-based actors. While the Iranian activity was "not necessarily in any way" associated with hacking democratic processes, Burt said, and instead focused on energy interests, the Russia-based efforts reflected the "same pattern of engagement" observed ahead of the 2016 and 2018 U.S. and European elections.
"Almost every significant election cycle since 2016 we've seen the initial effort being to infiltrate NGOs, academics and think tanks likely to be influential," which could be part of preparing for a disinformation campaign, Burt said.
"What we would say from the data we've seen so far is that we are seeing the early stages of the same kind of pattern of activity by the same actors that we've seen before, and we should expect it to continue," he said.