The U.S. software company Microsoft has uncovered what they believe is an effort by Iranian government actors to hack various U.S. presidential candidates, government officials and journalists ahead of the 2020 presidential elections.
Microsoft uncovered up to 2,700 attempts in a 30-day period between August and September, to hack emails in a campaign the company dubbed “Phosphorus.” According to the Washington Post, Microsoft found four accounts were compromised, but none belonged to a presidential candidate or government official.
According to Microsoft, the “Phosphorus” campaign saw hackers attempt to trigger password reset and account recovery features of various email accounts. Some of the efforts involved gathering the phone numbers of victims in order to authenticate the password reset features.
The Democratic National Committee reportedly warned of the hacks on Tuesday and said the risk to its members expanded from work emails to personal accounts as well.
In a blog post, Microsoft attributed the hacking techniques to various hacking groups – APT 35, Charming Kitten, and Ajax Security Team – that are associated with Iranian hacking efforts.
“Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,” the blog post said. “Its activity is usually designed to gain access to the computer systems of businesses and government agencies and steal sensitive information. Its targets also include activists and journalists – especially those involved in advocacy and reporting on issues related to the Middle East.”
Microsoft said “Phosphorus” is primarily uses a hacking technique known as spear-phishing, where a hacker will employ methods of gaining their targets trust such as presenting themselves as a credible, well-known brand or organization, such as Microsoft itself.
The “social engineering” will often send emails attempting to mimic the web domain names of legitimate companies and within those emails there are often security prompts requesting users enter and change their account credentials. As unsuspecting users then act to protect sensitive account information, they unwittingly provide their passwords to the hackers.
Microsoft said they took action to control traffic from 99 websites and redirect it to their “Digital Crime Unit’s sinkhole” which amasses evidence of cyberattacks.
“The intelligence we collect from this sinkhole will be added to MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers.”
Microsoft said it had also daily security analytics to track and stop individual Phosphorus attacks and notify victims of the hacks.
The software company said it contacted each of the domain listing companies where the fraudulent web domains the “Phosphorus” campaign registered and those companies will reportedly support Microsoft in a lawsuit.
Microsoft also made the lawsuit available to the public view.
“The Iranians are very aggressive and they could leverage whatever access they get for an upper hand in any kind of negotiations,” John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye told the Washington Post. “They could cause a lot of mayhem.”
