Microsoft says Iranian hackers targeted high profile international conference attendees for intelligence collection purposes. The company reported that the Iranian advanced persistent threat (APT) group impersonated conference organizers and sent fake invitations using spoofed emails.
Microsoft has tracked the threat actor since 2013, accusing it of targeting journalists, political dissidents, activists, defense industry workers, prominent Iranians living abroad, and others in the Middle East.
The group has also targeted politicians, including U.S. presidential hopefuls. Microsoft reported that several high-ranking officials’ accounts were compromised.
Iranian hackers on intelligence collection mission
The hacking attempts implicated Iranian hackers identified as Phosphorus, APT35, or Charming Kitten. Microsoft’s security chief, Tom Burt, confirmed that “Phosphorus is engaging in these attacks for intelligence collection purposes.”
The hackers targeted over 100 high profile individuals expected to attend the Munich Security Conference and Think 20 Summit in Germany and Saudi Arabia.
Attendees of the Munich Security Conference details include Canadian Prime Minister Justin Trudeau, French President Emmanuel Macron, the U.S. Secretary of State Mike Pompeo, and Speaker Nancy Pelosi (D-Calif.). It’s unclear whether the Iranian hackers targeted any of these individuals.
Microsoft disclosed that the attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their home countries. However, the company did not disclose the nationalities of the affected individuals during the intelligence collection campaign.
Phosphorus also attempted to dupe former government officials, policy experts, and academics in its intelligence collection efforts.
Microsoft noted that the Iranian hackers crafted the emails “in perfect English” to dupe the high-profile individuals.
The hackers provided details such as the available remote sessions and travel logistics. The attackers would then trick the victims into entering their login details into a fake login page. The Iranian hackers then used the details to log into their email accounts for intelligence collection purposes.
The conference attendees were alerted of the fake invitations and advised to ignore them.
No links to the current U.S. elections
The tech giant however denied that the attacks targeted the upcoming U.S. elections. Microsoft had earlier reported that the same group targeted an undisclosed presidential candidate.
Phosphorus compromises online accounts and computer networks by tricking its victims into clicking malicious links or downloading infected attachments. Microsoft had earlier obtained control over Phosphorus’s domains through a court order in March. The hacking group used the servers to harvest login credentials through fake Google and Yahoo login pages.
Microsoft, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and other cybersecurity firms have warned about state-sponsored threat actors targeting various organizations, including defense contractors, COVID-19 drug research facilities, and even the U.S. elections.
Commenting on Iranian hackers targeting conference attendees for intelligence collection purposes, Jonathan Reiber, Senior Director of Cybersecurity Strategy and Policy at AttackIQ, says:
“The Iranians have been doing this since at least 2012, when I myself received a phishing email on my personal account from an Iranian actor, purportedly from an assistant secretary of state, containing a PDF about Middle East security issues. Such tactics are cheap, easy to execute and come with a high return on investment, and Iran has a well-funded and state-supported cyberspace operations capability.”
James McQuiggan, a security awareness advocate at KnowBe4, points out that targeted attacks are very successful because the victims are at ease.
“The user may feel more relaxed and not scrutinize the email, as it appears to come from a trusted source; especially if he/she had previously attended the conference. End users receiving these types of emails will want to make sure they know the social engineering scams and techniques used by cybercriminals to engineer them to fall victim to these attacks.”
He recommends that organizations should implement a “robust security awareness training program to ensure that employees can make smarter security decisions like recognizing a spear-phishing email and taking the necessary actions to protect an organization from various attacks.”