Microsoft says it has thwarted a series of cyberattacks by Iranian hacking group Phosphorus targeting attendees to two high-profile international conferences.
Microsoft’s Threat Intelligence Information Center (MSITC) says it’s detected and intercepted attempts by the nation-state group to harvest credentials of more than 100 “high-profile individuals” thought to be attending the upcoming Munich Security Conference, as well as the Think 20 (T20) Summit in Saudi Arabia.
According to Microsoft, the group posed as event organizers and sent spoofed invitations to the victims via email, with the intention of fooling them into giving up information.
SEE: Network security policy (TechRepublic Premium)
The emails were written in “near-perfect English” and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations, Microsoft said.
It’s unclear whether any compromising information was given up to the group, although Microsoft said that event organizers had been made aware of the hacking attempt, who had in turn warned attendees.
Image: Microsoft
“We believe Phosphorus is engaging in these attacks for intelligence-collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” said Microsoft.
“We recommend people evaluate the authenticity of emails they receive about major conferences by ensuring that the sender address looks legitimate and that any embedded links redirect to the official conference domain.”
Microsoft has shared the indicators of compromise (IOCs) observed during these activities, to help IT teams to identify earlier campaigns and protect again future ones – see below.
INDICATOR | TYPE | DESCRIPTION |
t20saudiarabia[@]outlook.sa | Masquerading as the organizer of the Think 20 (T20) conference | |
t20saudiarabia[@]hotmail.com | Masquerading as the organizer of the Think 20 (T20) conference | |
t20saudiarabia[@]gmail.com | Masquerading as the organizer of the Think 20 (T20) conference | |
munichconference[@]outlook.com | Masquerading as the organizer of the Munich Security Conference | |
munichconference[@]outlook.de | Masquerading as the organizer of the Munich Security Conference | |
munichconference1962[@]gmail.com | Masquerading as the organizer of the Munich Security Conference | |
de-ma[.]online | Domain | Domain used for credential harvesting |
g20saudi.000webhostapp[.]com | Subdomain | Subdomain used for credential harvesting |
ksat20.000webhostapp[.]com | Subdomain | Subdomain used for credential harvesting |
Basic IT security measures, like turning on multi-factor authentication and tightening email-forwarding rules, can help mitigate the dangers of phishing attacks and other such data-harvesting attacks.
As Microsoft noted in its recent Digital Defense Report, nation-state groups frequently target think tanks, policy groups and other governmental and non-governmental organizations deemed to hold valuable information.
SEE: Adware found in 21 Android apps with more than 7 million downloads
While the activity doesn’t seem to be tied to the upcoming 2020 US presidential election, it wouldn’t be the first time Phosphorus has attempted to interfere with the race to the White House.
Microsoft first detected attempts to hack members of the 2020 US presidential campaign back in October 2019. More recently, the software giant uncovered a series of attempts by state-sponsored groups in Chinese, Iranian, and Russian to breach email accounts belonging to people associated with the Biden and Trump election campaigns.
“Based on current analysis, we do not believe this activity is tied to the US elections in any way,” Microsoft said.