Pierluigi Paganini March 31, 2019

Microsoft this week announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the company as Phosphorus.

Microsoft has recently announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the tech giant as Phosphorus (aka APT35, Charming Kitten, NewsBeef, Newscaster and Ajax Security Team).

“Today, court documents were unsealed detailing work Microsoft’s Digital Crimes Unit has executed to disrupt cyberattacks from a threat group we call Phosphorus – also known as APT 35, Charming Kitten, and Ajax Security Team – which is widely associated with Iranian hackers.” reads the announcement published by Microsoft. “Our court case against Phosphorus, filed in the U.S. District Court for Washington D.C., resulted in a court order enabling us last week to take control of 99 websites the group uses to conduct its hacking operations so the sites can no longer be used to execute attacks. “

The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011. In past campaigns, the APT group launched spear-phishing attacks against activists and journalists focusing on the Middle East, US organizations, and entities located in Israel, the U.K., Saudi Arabia, and Iraq.

Microsoft took control of the domains used by Phosphorus after filing a legal complaint in the U.S. District Court for Washington D.C. against two John Does that are allegedly behind the group’s operations.

“Plaintiff Microsoft Corporation (“Microsoft”) has sued Defendants John Does 1-2 associated with the Internet domains listed below.” reads the notice of pleadings. “Microsoft alleges that Defendants have violated Federal and state law by hosting a cybercriminal operation through these Internet domains, causing unlawful intrusion into Microsoft and Microsoft’s customers’ computers and computing devices”

The court order obtained by Microsoft authorized the company to seize the domains and redirect traffic from compromised devices to a sinkhole.

The domains attempt to mimic legitimate services belonging to Microsoft and other legitimate online services, such as LinkedIn and Yahoo. The list of seized domains includes verification-live.com, outlook-verify.net, myaccount-services.net, verify-linkedin.net, and yahoo-verify.net.

The threat actors used the websites to serve malware to the victims, they also sent out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.

“While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations,” continues Microsoft. “Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure.”

The case against Phosphorus APT is similar to cases Microsoft filed against the Strontium APT group. The company confirmed to have used this approach 15 times to take control of 91 fake websites associated with Russia-linked Strontium group.
Strontium

Microsoft revealed last month that the Russia-linked APT28 group targeted 104 accounts belonging to the employees of democratic organizations in various European countries.

Pierluigi Paganini

(SecurityAffairs – Phosphorus APT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]