State-sponsored Iranian hackers are targeting U.S. government officials and members of campaign staffs, according to Microsoft’s Threat Intelligence Center. Microsoft announced the cyber espionage efforts by Iran’s Phosphorus threat group today. The Microsoft AccountGuard environment was created to defend those who are engaged in the democratic process or reporting  on the process.

The efforts by Iran to penetrate the AccountGuard environment, as detailed in the Microsoft announcement, come on the heels of the recent revelation of Iran’s active targeting of active duty military personnel and veterans in a separate cyber espionage activity.

The targeting of AccountGuard to collect information from those associated with U.S. presidential candidates by Iran is not surprising. In the world of espionage, one goes where one’s target is resident. And in this instance, it was AccountGuard. The added value to targeting AccountGuard is the number of additional targets available within the same target folio, such as dissident Iranians and journalists.

Iran’s Phosphorus group’s Modus Operandi

Iran’s Phosphorus threat group made 2,700 attempts to identify consumer email accounts and then attempted to compromise 241 of them in a 30-day August-September 2019 period. The targeted accounts included those associated with a current U.S. presidential candidate. The accounts which percolated to the top of the Iranian efforts included U.S. government officials, journalists and Iranian expatriates. Of the 241 attempts, four were successfully compromised (none of which were associated with a U.S. presidential candidate).

Phosphorus demonstrated their discipline in researching their targets in depth prior to making an attempt to compromise their AccountGuard access. The group gathered various alternative email accounts associated with the individuals of interest, and then attempted to “gain access to a user’s Microsoft account through verification sent to a secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”

In March 2019, Iran’s Phosphorus group was identified by Microsoft as being involved in detailed spear-phishing designed to “use social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts. The link contains malicious software that enables Phosphorus to access computer systems.”  Additionally, Phosphorus has been known to send emails indicating that a target’s access to a given platform or service has been compromised and that a reset of their password is needed.

In both instances, the end goal of Phosphorus is to capture their login credentials and compromise the target’s device and the networks to which the target has access.

What can you do?

Activating two-step authentication is the number one piece of advice from Microsoft. This raises the level of difficulty in compromising a given account by the methodology used by Phosphorus. In addition, monitoring account activity from time to time to determine if unauthorized access to one’s account has occurred is another means to determine the account security status.

For their part, Microsoft has filed suit against Phosphorus.  In their civil action they have requested that the groups Internet domains be removed. The domain names crossed multiple registrars and countries, and are detailed in Microsoft’s complaint.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com