Iran-linked Phosphorus group hit a 2020 presidential campaign

Microsoft says that the Iran-linked cyber-espionage group tracked as Phosphorus (aka APT35, Charming Kitten, Newscaster, and Ajax Security Team) a 2020 presidential campaign.

Microsoft’s Threat Intelligence Center (MSTIC) revealed that an Iran-linked APT group tracked as Phosphorus (aka APT35, Charming Kitten, Newscaster, and Ajax Security Team) attempted to access to email accounts belonging to current and former US government officials, journalists, Iranians living abroad, and individuals involved in a 2020 US presidential campaign.

The Phosphorus group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. 

The experts revealed that the recent campaign carried out by the APT group took place between August and September.

“In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.” reads the analysis published by Microsoft. “The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran.”

The state-sponsored hackers initially conducted a reconnaissance operation to identify high-value targets. Microsoft observed more than 2,700 probes, then the attackers targeted 241 accounts, some of them associated with a U.S. Presidential campaign.

Microsoft confirmed that hackers breached four accounts, but the compromised accounts were not associated with the U.S. Presidential campaign or current and former U.S. government officials.

Microsoft notified all the impacted users about the hacks and provided supports to the victims to secure their accounts.

The hackers initially breached into the victim’s secondary email inbox associated with their Microsoft account, then used them to reset the password. Once they received the reset link to the secondary inbox, the hackers used it to take control of the primary Microsoft account.

“Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts.” continues the report. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”

Microsoft experts pointed out that the attacks attributed to the Phosphorus group even if they were not technically sophisticated used a significant amount of personal information to identify the targets’ accounts and hack them. 

Microsoft recommends its high-profile Microsoft involved in political campaigns, think tanks, or NGOs, to sign up for Microsoft AccountGuard that offers additional protection against the attacks.

“There are currently 60,000 accounts in 26 countries protected by AccountGuard, which provides monitoring and unified threat notification across the Office 365 accounts you use for work and the personal accounts of your staff and others affiliated with your organization that opt-in for this protection.” concludes Microsoft. “To date, we’ve made more than 800 notifications of attempted nation-state attacks to AccountGuard customers.

In March, Microsoft announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

The domains attempted to mimic legitimate services belonging to Microsoft and other legitimate online services, such as LinkedIn and Yahoo. The list of seized domains includes verification-live.com, outlook-verify.net, myaccount-services.net, verify-linkedin.net, and yahoo-verify.net.

The threat actors used the websites to serve malware to the victims, they also sent out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]