Iran-linked Phosphorous APT hacked emails of security conference attendees

Iran-linked APT group Phosphorus successfully hacked into the email accounts of multiple high-profile individuals and security conference attendees.

Microsoft revealed that Iran-linked APT Phosphorus (aka APT35, Charming Kitten, Newscaster, and Ajax Security Team) successfully hacked into the email accounts of multiple high-profile individuals and attendees at this year’s Munich Security Conference and the Think 20 (T20) summit.

“Today, we’re sharing that we have detected and worked to stop a series of cyberattacks from the threat actor Phosphorous masquerading as conference organizers to target more than 100 high-profile individuals.” reads the post published by Microsoft. “Phosphorus, an Iranian actor, has targeted with this scheme potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.”

Nation-state actors successfully targeted over 100 individuals, including former ambassadors and other senior policy experts.

According to the experts at Microsoft Security Intelligence Center, the attacks are part of a cyber-espionage campaign aims at gathering intelligence on the victims by exfiltrating data from their mailboxs and contact list.

Data was exfiltrated to the de-ma[.]online domain, and the g20saudi.000webhostapp[.]com, and ksat20.000webhostapp[.]com subdomains.

The attackers have been sending spoofed email invitations to to former government officials, policy experts, academics, and leaders from non-governmental organizations. Attackers attempted to exploit the fears of travel during the Covid-19 pandemic by offering remote sessions.

The emails were written in almost perfect English.

Experts believe that this campaign is not tied to the upcoming U.S. Presidential elections.

Microsoft experts have worked with conference organizers who are warning their attendees about the ongoing attacks and suggesting them to remain vigilant to this approach being used in connection with other conferences or events.

“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain. As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these.” suggest Microsoft. “For anyone who suspects they may have been a victim of this campaign, we also encourage a close review of email-forwarding rules in accounts to identify and remove any suspicious rules that may have been set during a successful compromise.”

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. In past campaigns, the APT group launched spear-phishing attacks against activists and journalists focusing on the Middle East, US organizations, and entities located in Israel, the U.K., Saudi Arabia, and Iraq.

Recently Microsoft published a post and a series of tweets to warn of cyber attacks exploiting the Zerologon vulnerability carried out by the Iran-linked APT group known as MuddyWater, aka Mercury.

The IT giant also warned of cyber espionage campaigns carried out by other nation state-sponsored hacking groups operating from Russia and China targeting organizations and individuals involved in this year’s U.S. presidential election.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Phosphorous)

[adrotate banner=”5″]

[adrotate banner=”13″]