Microsoft: Iran-Linked Hackers Targeted Presidential Campaign

The hacking group known as Phosphorus, active since 2013, has been involved in myriad attempted cyberattacks against American officials and organizations, including at least one campaign in the race for the U.S. presidency.

by / October 4, 2019
Shutterstock/Novikov Aleksey

A hacking group with ties to the Iranian government recently vaunted cyberattacks on a variety of American targets, including a 2020 U.S. Presidential campaign, according to Microsoft, whose Threat Intelligence Center (MSTIC) observed the attempts. 

Phosphorus, which has also gone by the names "APT35," "Charming Kitten" and "Ajax," is a state-sponsored cybergroup attached to the Iranian military that has been involved in myriad cyberattacks since 2013. Its latest attempts included the attempted infiltration of the political campaign, says a blog post written by Microsoft's Tom Burt. Burt is the company's corporate vice president, customer security and trust.

Between August and September the group is alleged to have targeted not just the campaign, but hundreds of individuals, including American journalists, as well as current and former federal officials, Burt's post states. Over a 30-day period, the hackers made over 2,700 attempts to identify Microsoft email accounts, before ultimately attacking 241 of those accounts. 

As a result of the attempts, only four email accounts were compromised — none of which belonged to campaign personnel or government officials, said Microsoft. 

According to FireEye, Phosphorus has historically targeted a wide range of figures and organizations, including "U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors." 

The group, while technically unsophisticated, has also been known to vaunt complex social engineering exercises that mobilize fake social media personalities to infiltrate online communities and accomplish its goals, FireEye reports. Typically these exercises have included faking associations with news organizations — a hacking trend reported on earlier this year by The Intercept — which has earned them the moniker the "Newscaster Team." 

Phosphorus also allegedly has a relationship with Monica Witt, the former U.S. Air Force counterintelligence agent who is accused of spying for Iran and who was charged with conspiracy earlier this year. Witt, who defected to Iran in 2013, allegedly helped deliver intelligence to Phosphorus that the group then used to better coordinate spear phishing campaigns. 

Earlier this year, Microsoft also seized control of a network of sites that the hacker group had mobilized to launch a phishing campaign.

"While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks. This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering," the company said on its website. 

Platforms & Programs