Microsoft discovers recent Iranian hacking group Phosphorus campaigns that target politicians in the U.S
Yesterday Microsoft disclosed that state-sponsored Iranian hackers tried to hack into emails that belong to former US government officials and 2020 US presidential campaign members. In their statement, Microsoft talks about attacks that took place in August and September and potentially resulted in compromised email accounts. Tom Burt, Corporate Vice President, stated in the report:
In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.
According to the researchers, targeted accounts belonged to journalists and politics and even Iranians living outside of the country. Although not associated with US government officials, four accounts got compromised during these attempts. Microsoft promised to notify those customers who might be related to the investigation and threats so accounts can be secured.
Phosphorus hacker group to blame
These attacks got tracked, and Microsoft observed the activity to claim that the Phosphorus group, also known as APT35, Charming Kitten, Ajax Security Team, are the ones responsible. This group is known for using spear-phishing attacks in campaigns targeted against government institutions and has been linked to Iran's government by many cybersecurity vendors and research teams.
As criminals tracked by Microsoft's Threat Intelligence Center since 2013 targeted accounts related to politics and journalists for over 30 days, experts noted that the group operated in different stages:
- Firstly, 2,700 probes made to identify specific Microsoft customer email accounts.
- Once the list of high-value targets formed, 241 of those email accounts got aimed at. At this point, accounts associated with U.S presidential campaign got chosen as well as current and former US government members, journalists covering global media and Iranians living outside of Iran.
Although the group is not the only one based in Iran that has been hacking around, Phosphorus group is one of the more known teams. Back in March, some court documents got made public and revealed that 99 domains got used as a part of the malicious campaigns held by Phosphorus.
Campaigns involving personal information
Hacker group gathered information in various stages because the research was needed when choosing the targets, and during the password resetting, or while employing account recovery features to attempt to take control of those chosen accounts. Once hackers found the secondary account linked to Microsoft email, they tried to gain access to the profile by requesting the verification that could be sent to the secondary email. At some point, phone numbers got collected to assist hackers in the authentication process.
MSTIC claims that hackers managed to use a significant amount of personal information to identify accounts and to proliferate the attacks. Although this was not a technically sophisticated campaign, the Phosphorus group is a team of motivated people that want to gather valuable information, especially during such time as elections.
It seems that the Donald Trump election campaign already suffered a cyberattack, possibly linked with these hackers. However, Tim Murtaugh, campaign communications director, stated that the campaign was unsuccessful.