Iranian Hackers Targeted Conference Attendees - Microsoft Report

Microsoft reports that a hacking group associated with the Iranian government targeted over 100 prominent individuals expected to participate in two significant international security and policy gatherings.

This group, identified as Phosphorus (also known as APT35), distributed deceptive emails that appeared to originate from the organizers of the Munich Security Conference, a major global forum for security and policy discussions attended by world leaders, and the Think 20 Summit, planned for later this month in Saudi Arabia. According to Microsoft, these fraudulent emails were sent to former government personnel, scholars, and policymakers with the intention of obtaining their passwords and other confidential information, such as access to their email accounts.

When questioned regarding the operation’s objectives, Microsoft declined to provide specifics. However, Tom Burt, Microsoft’s head of customer security and trust, stated that the attacks were conducted to gather intelligence.

“These attacks successfully compromised a number of individuals, including former ambassadors and experienced policy experts who play a role in shaping international agendas and the foreign policies of their nations,” Burt explained. “We have collaborated with conference organizers to inform attendees, both past and present, and are sharing this information to encourage vigilance against similar tactics being employed at other conferences or events.”

Microsoft detailed that the attackers crafted emails using flawless English, requesting invitations to the conferences from their targets. Once a target granted the request, the attackers attempted to deceive the victim into submitting their email password on a fabricated login page. Subsequently, they would access the mailbox to steal emails and contact lists.

This group has a history of attempting to steal credentials from high-profile targets.

Attempts to reach Iran’s consulate in New York for a response were unsuccessful, as their website was unavailable.

Phosphorus is recognized for targeting influential figures, including political leaders and potential presidential candidates. However, Microsoft clarified that this recent attack is not connected to the forthcoming U.S. presidential election.

Previously, Microsoft announced it had alerted over 10,000 individuals who had been victims of state-sponsored hacking, including those targeted by Phosphorus and another Iran-linked group, Holmium (also known as APT 33). In March, the technology company obtained a court order granting it control over domains utilized by Phosphorus, which were used to steal login credentials through counterfeit Google and Yahoo login pages.

A previous iteration of this report contained an inaccuracy, stating that Microsoft had prevented over 10,000 instances of state-sponsored hacking, when in fact, the company had notified that many victims.