Iranians tried to hack U.S. presidential campaign in effort that targeted hundreds, Microsoft says

By Jay Greene and Tony Romm
Washington Post Updated – October 04, 2019

SEATTLE — A campaign believed to be tied to the Iranian government attempted to identify, attack and breach email addresses belonging to a U.S. presidential campaign, government officials and journalists, according to new data unveiled by Microsoft, highlighting the continued global security threats that loom over the fast-approaching 2020 election.

The intrusion observed by Microsoft, spearheaded by an outfit it calls Phosphorus, made more than 2,700 attempts to identify email addresses that belonged to the company’s customers over a 30-day period between August and September, 241 of which were then attacked. Four were compromised, but they do not belong to the presidential campaign or government officials, according to the tech giant.

Microsoft said it notified the customers attacked and has worked with those whose accounts were compromised to secure them. It declined to disclose the names of the account holders. The company declined to comment beyond a blog post disclosing the news Friday.

[It’s not just the Russians anymore as Iranians and others turn up disinformation efforts ahead of 2020 vote]

According to Microsoft, Phosphorus hackers tried to figure out how to reset passwords or otherwise trigger account recovery features to take over accounts. In some instances, Microsoft found that the group gathered phone numbers belonging to its targets to try to authenticate password resets.

The attacks were not “technically sophisticated,” Microsoft’s vice president of customer security and trust, Tom Burt, wrote in the blog post. But he noted that they used significant amounts of the targets’ personal information, suggesting that Phosphorus was willing to invest “significant time and resources engaging in research and other means of information gathering.”

For years, Iranian hackers have targeted U.S. officials through “large-scale intrusion attempts,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. But the aggressiveness of the country’s digital efforts has escalated as Tehran’s political standing with Washington has worsened, particularly in recent months as President Trump has threatened sanctions over the country’s nuclear program.

“The Iranians are very aggressive, and they could leverage whatever access they get for an upper hand in any kind of negotiations,” Hultquist said. “They could cause a lot of mayhem.”

Major tech companies also have been warning about the rising Iranian threat, largely out of concern that malicious actors originating in the country were spreading disinformation online. In May, for example, Facebook and Twitter said they had removed a sprawling Iranian-based propaganda operation, including accounts that mimicked Republican congressional candidates and appeared to try to push pro-Iranian political messages on social media. Some of those accounts similarly took aim at U.S. policymakers and journalists, researchers said at the time.

[Microsoft says it has found another Russian operation targeting prominent think tanks]

This isn’t Microsoft’s first brush with Phosphorus. The company, which names hacking groups after elements on the periodic table, seized 99 websites in March it said were used by the group to launch cyberattacks against government agencies, businesses and users in Washington. Microsoft said it had been tracking the group for six years. Other researchers have tagged the group Ajax Security Team, APT 35 and Charming Kitten.

At the time, Microsoft said Phosphorus had targeted activists and journalists, “especially those involved in advocacy and reporting on issues related to the Middle East.”

[Microsoft says it has found Iranian hackers targeting U.S. agencies, companies and Middle East advocates]

The Democratic National Committee warned campaigns about the Phosphorus attacks Tuesday, noting that the group has been targeting personal email accounts as well as work ones. The DNC recommended that members review logs for connection attempts in August and September.

“They create believable spear phishing emails and fake LinkedIn profiles as primary tactics,” according to the email from the DNC obtained by The Washington Post.

Spokespeople for the Trump campaign, as well as Democratic campaigns including those of Sens. Elizabeth Warren (D-Mass.), Kamala D. Harris (D-Calif.) and Cory Booker (D-N.J.), did not immediately respond to requests for comment. Spokespeople for former vice president Joe Biden and Sen. Bernie Sanders (I-Vt.) declined to comment.

Leave a Reply

Your email address will not be published. Required fields are marked *