A threat group, dubbed Phosphorus, that Microsoft believes to be linked to Iran’s government targeted email accounts associated with a presidential campaign as well as government officials, journalists and prominent Iranians living outside the country.
“In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts,” Tom Burt, Microsoft corporate vice president of customer security and trust, wrote in a blog post, noting that four accounts – not those of journalists or associated with the presidential campaign – were compromised.
“In many ways, this is an unsurprising report given that this particular Iranian cyber threat group has been operating since 2004 and targeting human rights activists, journalists and others,” said Jamil Jaffer, vice president of strategy and partnerships at IronNet Cybersecurity. “What is interesting in this report is the renewed focus, as part of a broader campaign, on American political and campaign officials.”
Phosphorus (aka Charming Kitten, Ajax Security Team and APT35) researched targets or used “other means to game password reset or account recovery features and attempt to take over some targeted accounts,” Burt wrote. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account.”
The threat group, in some cases, collected targets’ phone numbers and “used them to assist in authenticating password resets,” according to the blog post.
Burt said that while the attacks weren’t particularly sophisticated, the volume of personal information used to identify and attack targets “suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering.”
Noting the internet has long been a hotbed for the “collection of intelligence by governments,” Jared Phipps, vice president at SentinelOne, stressed that “prior evidence of Russian [activity] using social media methods to alter public perception show the dangers of allowing these types of cyberattacks to continue.”
The Phosphorus “attacks highlight the risks of public officials using cyber assets not protected by the U.S. government, even during campaigns,” said Phipps. “This is a policy that should be re-evaluated. U.S. government is able to provide adequate protections against nation-state attacks and campaigns. Privately managed email accounts cannot do this.”
The latest campaign takes on particular importance as the U.S. 2020 primary and general elections approach and tensions with Iran have ratcheted up. “Such a cyber campaign against Americans, our political system, and other key infrastructures is perhaps not surprising given that we have not been able to effectively deter Iran,” said Jaffer. “It is critical that Iran understand that a sustained effort targeting political campaigns will elicit an American response and that we actually undertake a response if these activities continue, or as is likely, worsen in coming weeks and months.”
Peter Goldstein, CTO and co-founder of Valimail, contended that “as phishing becomes harder and harder to detect, it’s critical to prevent these malicious emails from ever entering inboxes in the first place.”
He recommended focusing on authenticating the identity of the sender, which can stop “almost 90 percent of malicious emails” in their tracks.
Microsoft has alerted its customers who were targeted by the threat group and urged them to employ security measures like two-step verification and remain vigilant.