Microsoft: Iranian Hackers Targeted Security ExpertsSpear-Phishing Campaign Aimed at Potential Attendees at 2 Upcoming Events
A hacking group linked to Iran's government targeted over 100 security and policy experts who are potentially attending two upcoming security conferences with phishing emails designed to steal credentials and gather intelligence, according to Microsoft.
The hacking group, which Microsoft calls Phosphorus but is also known as APT35 and CharmingKitten, posed as conference organizers to send spoofed invitations, according to the company’s new report.
The attackers targeted the potential attendees of the Think 20 Summit, to be held in Saudi Arabia on Oct. 31, and the Munich Security Conference, which is scheduled for Feb. 19, 2021. Each of these conferences attracts security experts and analysts as well as diplomats and policy experts, according to Microsoft. The Think 20 event will be virtual; the Munich conference is still scheduled as a live event.
"We believe Phosphorus is engaging in these attacks for intelligence collection purposes," Tom Burt, Microsoft's corporate vice president for customer security and trust, notes in the report. "The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries."
Microsoft Threat Intelligence Information Center (MSTIC) has uncovered activity by the threat actor PHOSPHOROUS, which has been masquerading as conference organizers and sending spoofed invitations by email to high-profile individuals. Get details here: https://t.co/IJEhiCvs72— Microsoft Security Intelligence (@MsftSecIntel) October 28, 2020
Microsoft has informed the organizers of these two events about the phishing campaign and is also working with those targeted to help them secure their email.
In June, Google security researchers found that this same Iranian hacking group unsuccessfully targeted the presidential campaign of President Donald Trump.
Tracking Group’s Efforts
Microsoft has been tracking the Phosphorus group for years. The group has previously targeted diplomatic and government personnel in the U.S. and the Middle East (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign).
In the latest campaign, the spear-phishing emails that Phosphorus sent used "near-perfect English" and contained information related to online attendance of the events to help ease fears about COVID-19, Microsoft says.
The spear-phishing emails sent to potential attendees contain a shortened link leading to a PDF that was designed to appear as a invite to the conference, according to the report. Instead, the victim was taken to a phishing domain where they were encouraged to enter their credentials, which are then harvested by the hackers.
The hacking group can then use the credentials to attempt to guess the username and passwords of a victim's email inbox and then monitor their communications or exfiltrate data, according to Microsoft.
Terence Jackson, CISO at security firm Thycotic, notes one reason why the attackers were able to target so many victims in this campaign may be the lack of multifactor authentication for their email accounts.
"Email is, and continues to be, the preferred delivery method for cybercriminals to get users to hand over credentials," Jackson tells Information Security Media Group says. "As a security professional, I would like to think the targeted individuals had enabled multifactor authentication on their accounts. However, because of the success of this attack, that appears to not be the case."
Microsoft points out: "We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain," Users should also review their email-forwarding settings to check for changes because attackers could use this feature to gain access to victims' messages.
In March 2019, Microsoft took legal action against Phosphorus, taking down 99 website domains that the group allegedly used as part of a spear-phishing campaign (see: Microsoft Takes Control of 99 Websites From APT Group).