Iran Caught Targeting US Presidential Campaign Accounts

Microsoft detected the so-called Phosphorus nation-state gang attacking 241 user accounts associated with a US presidential campaign, current and former US government officials, journalists, others.

Dark Reading Staff, Dark Reading

October 5, 2019

2 Min Read
Dark Reading logo in a gray background | Dark Reading

A well-known Iranian nation-state hacking team has targeted 241 user accounts connected to a US presidential campaign, as well as existing and former government officials, journalists, and Iranian nationals residing outside that nation, according to Microsoft, which discovered the attacks.

Between August and September, Microsoft's Threat Intelligence Center spotted the so-called Phosphorus hacking group — aka APT 25, Charming Kitten, and Ajax Security Team — going after specific Microsoft customers. The group made more than 2,700 attempts to get those accounts, ultimately targeting 241 of them. They ultimately compromised four user accounts, none of which were associated with the US campaign or US government officials.

"Microsoft has notified the customers related to these investigations and threats and has worked as requested with those whose accounts were compromised to secure them," said Tom Burt, corporate vice president of customer security and trust for Microsoft, in a blog post about the incident today.

The hackers spoofed password reset or account recovery alerts as a way to infiltrate the victim accounts. "For example, they would seek access to a secondary email account linked to a user's Microsoft account, then attempt to gain access to a user's Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets," Burt explained.

Phosphorus has been a relatively active threat group. Microsoft in March took down 99 phishing and other malicious websites run by Phosphorus, and the group was spotted in December 2018 targeting email accounts of US Treasury members, defenders, detractors, Arab atomic scientists, Iranian civil society figures, DC think-tank employees, and officials charged with enforcing the former US-Iran nuclear deal.

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage.'"

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights