Microsoft Says It Has Found Iranian Hackers Targeting U.S. Agencies, Companies and Middle East Advocates

In the latest of a string of security actions, Microsoft has seized 99 websites it says were used by Iranian hackers to launch cyberattacks against government agencies, businesses and users in Washington, according to a company blog post and court records unsealed Wednesday.

Microsoft obtained a federal judge’s approval on March 15 to disable the websites that it detected and had been tracking for six years, run by a threat group the company has dubbed Phosphorus, and that other researchers call Ajax Security Team, APT 35 and Charming Kitten, the company said.

The sites were used in a years-long “spear-phishing” campaign that targeted corporations and government agencies, as well as activists and journalists, particularly those involved in advocating and reporting on issues relate to the Middle East, according to Microsoft. In the attacks, hackers send out emails and social media posts with the aim of infiltrating computer systems by tricking victims into visiting phony websites with malicious software that appear authentic.

Analysts with U.S. intelligence agencies, private firms and universities say the Iranian hackers have targeted defense contractors, oil and gas companies and the military and government in the United States, Israel and the Gulf region — states that are all traditional Iranian adversaries.

In the Phosphorus case, Microsoft filed suit March 14 against defendants identified as “John Does 1-2,” asking a federal court to halt the activity and allow the company to take over and disable websites used to hack, gain and keep access to victim networks, and steal sensitive data.

U.S. District Amy Berman Jackson in Washington granted the temporary restraining order the following day, allowing Microsoft to secretly access the websites because the company had established “good cause” to believe that alerting the defendants beforehand would enable “highly sophisticated cybercriminals” to escape further analysis.

“This is a significant setback for these Iranian actors, who could be used against Western interests” if Iran decides to reengage in aggressive activity now that the United States has pulled out of the Iran nuclear deal, said John Hultquist, director of intelligence analysis for FireEye, who has been tracking the group for years.

“One of the major concerns I have with this group is they could be leveraged for more destructive attacks,” Hultquist said. “They’re a very dangerous actor that we should be very concerned about given the changing relationship we have with Iran.”

Hultquist said FireEye believes the group known as APT 35 has links to the Iranian government and may be behind destructive cyberattacks on oil and gas companies in the Gulf region in recent years.

“They are pretty savvy at creating fictitious personas and supporting websites as part of elaborate social engineering schemes,” Hultquist said.

Some personas exist on multiple platforms — Facebook, Google, LinkedIn. “It’s about creating these deep social engineering campaigns that are difficult to discern from legitimate activity,” Hultquist said.

In a blog post, Tom Burt, Microsoft corporate vice president for customer security and trust, said the company’s Digital Crimes Unit and Threat Intelligence Center have tracked Phosphorus since 2013.

The group used fake websites incorporating the names of Microsoft, Yahoo and other brands, with sometimes only a single letter or punctuation mark revealing the difference from an authentic site.

Microsoft and other online companies have grown increasingly active in countering such sites, although security experts liken their efforts to a game of Whac-A-Mole, with new attack methods evolving as others are shut down.

Burt said the recent court action allowed Microsoft to take control of 99 websites and redirect traffic from infected devices to the company’s digital crime unit for analysis to improve security products and services.

Microsoft and other technology companies are sharing threat information to jointly stop attacks, he said, and they arranged with website-listing companies beforehand to transfer Phosphorus sites once a court order was granted.

Former Obama administration cybersecurity coordinator Michael Daniel said Microsoft pioneered the countering of malicious cyberactivity through court action, successfully disrupting adversaries in the short term.

“However, there are risks,” he said, “including the bad guys targeting the seizing organization.” Most companies have chosen not to go down this path, but it could be useful especially if combined with other actions and companies, he said.