Microsoft has discovered and disabled six malicious spearphishing sites designed to appear as though they were legitimate sites associated with the US Senate and conservative think tanks.

The Washington Post reports that the group, known under the names APT28, Fancy Bear or Strontium, is publicly linked to the Russian intelligence agency GRU and is known to have actively interfered in the 2016 elections. The hackers allegedly established domains meant to be confused with two conservative groups that have been critical of the Kremlin.

Other false domains mimicked U.S. Senate pages. APT28 is widely believed by cybersecurity researchers to have been responsible for the email hacking of Clinton campaign chairman John Podesta. The Kremlin has denied the allegations.

Fake sites can be used to inject malware into the computers of those who visit the sites and to steal sensitive data. Victims are lured to these sites with phishing emails that appear to be coming from trusted sources. Brad Smith, Microsoft President and Chief Legal Officer, told NPR, “The hackers sent emails to board members or think tank employees that notified them of a problem with their email account and directed them to bogus websites.”

Smith added, “When they get to this site they see, typically, a page that looks just like a page of their employer, where they work, they’re asked to enter their password and then their credentials are harvested, so to speak.”

In order to shut down the websites, Microsoft pursued a court order that would transfer the domain names to its own servers. The company has done this with other APT28 sites, disabling 84 sites since 2016.

Get the full story at The Washington Post.