Microsoft has disclosed details on a significanteffort from Iran, which targeted a US presidential campaign between August and September.
CNET reports that the Iranian hackers made more than 2,700 attempts to break in to email accounts belonging to a US presidential campaign, current and former US government officials, as well as journalists and prominent Iranians living outside the country, according to a post Friday by Microsoft’s corporate vice president on customer security and trust, Tom Burt.
Microsoft said it believes the hackers are linked to the Iranian government. They gained access to four accounts by tricking password reset features, the company said
The group, which Microsoft called Phosphorous, attacked 241 email accounts, and successfully infiltrated four accounts in its campaign, the company said. US government officials and the presidential campaign were not among the four compromised accounts.
Microsoft didn’t disclose which presidential campaign was targeted in the attack. The Iranian hackers would seek access to a secondary email tied to the target’s Microsoft account. Once they had access to that account, they would prompt a password reset and use that to break in, the company said.
Microsoft said that in a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts. The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran. Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials. Microsoft has notified the customers related to these investigations and threats and has worked as requested with those whose accounts were compromised to secure them.
Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.
“While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks. This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering. MSTIC works every day to track threat groups including Phosphorus so we can notify customers when they face threats or compromises and so that we can build our products to better defend against these threats.” – Microsoft said
The company said that its Digital Crimes Unit has also taken legal and technical steps to combat Phosphorus attacks and we continue to take these types of actions.
The director of the US’ Cybersecurity and Infrastructure Security Agency, Chris Krebs, said the agency is aware of the hacking attempts, and is working with Microsoft to investigate.
“While much of this activity can likely be attributed to run-of-the-mill foreign intelligence service work, Microsoft’s claims that a presidential campaign was targeted is yet more evidence that our adversaries are looking to undermine our democratic institutions,” Krebs said in a statement.
The attempted hacks on a US presidential campaign highlight concerns surrounding the 2020 election.
Via CNET / Microsoft