An attack group linked to the Iranian government has been systematically researching and targeting email accounts belonging to U.S. government officials, people associated with a presidential campaign, journalists, and Iranians expatriates, in a coordinated campaign that uses simple but effective methods to compromise those accounts.
The campaign is the work of a group known as Phosphorus and began in August and carried on into September, according to researchers at the Microsoft Threat Intelligence Center who have been tracking the attacks targeting Microsoft customer email accounts. The researchers identified more than 2,700 individual attempts to identify Microsoft accounts belonging to specific customers, and the attackers then actively went after 241 of the accounts. Luckily, they were only successful in compromising four accounts.
The methods the Phosphorus group was using in this campaign are similar to ones they’ve employed in the past. The group tends to use spear-phishing and other simple techniques to try to gain access to target accounts, and in this latest campaign it was trying to get victims’ credentials through a password-reset scheme.
“Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password reset,” Tom Burt, corporate vice president of customer security and trust at Microsoft, said in a post on the campaign.
“While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks. This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering.”
"This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources."
The attacks by the Phosphorus group show once again that foreign threat groups are quite interested in infiltrating political campaigns in the U.S. That interest is not limited to Russian attack groups, as the Microsoft research shows, and the attackers are casting a wide net to identify targets of interest and gather as much information as possible.
The Phosphorus group, which is also known as APT 35, has been operating for several years and has a history of going after politicians, journalists, diplomats, and other targets with information that might be of interest to the Iranian government. Microsoft’s MSTIC and other security research teams have been tracking Phosphorus activity since around 2014, and earlier this year Microsoft took legal action to stop some of the group’s attacks. Microsoft obtained a court order that allowed the company to take over 99 domains used by the group in some of its attack campaigns. Those attacks used spear-phishing emails to try and trick victims into visiting a malicious site.
“Phosphorus typically attempts to compromise the personal accounts of individuals through a technique known as spear-phishing, using social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts. The link contains malicious software that enables Phosphorus to access computer systems,” Burt said.