The Iranian government has attempted to hack into hundreds of Office 365 email accounts belonging to politicians, government officials and journalists last month, Microsoft has warned.
“We’ve recently seen significant cyber activity by a threat group we call Phosphorous, which we believe originates from Iran and is linked to the Iranian government,” Microsoft’s vice president of customer security and trust Tom Burt said in a blog post on Friday.
Redmond's bit wranglers observed more than 2,700 attempts to hack into 241 different accounts, according to the software giant. It noted that those accounts “are associated with a US presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran.”
Microsoft says that only four of the 241 accounts were compromised and none of them were connected to government officials or presidential campaigns. It says the accounts are now secure the owners are aware of the activity.
Notably, Microsoft says the hacking efforts were “not technically sophisticated” but used personal information gathered elsewhere to try to prompt password reset or account recovery in an effort to get into the accounts.
“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Microsoft explained.
It also appears that the hackers attempted to bypass two-factor authentication. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets,” the company said. It described the attackers as “highly motivated and willing to invest significant time and resources.”
Instead Microsoft proposes that people used its Authenticator app, which provides a login code that changes every 30 seconds in order to access their accounts.
How come Iran?
The company did not go into any detail over why it believes the Iranian government is behind the hacks beyond noting that those targeted included “prominent Iranians living outside Iran.” Presumably, it was able to identify the same pattern of hacking efforts with other accounts not directly connected with Iran and extrapolated from that.
As to why it released the information publicly, Microsoft said that there were two reasons: first that “we all – governments and private sector – are increasingly transparent about nation-state attacks and efforts to disrupt democratic processes;” and second that “publishing this information should help others be more vigilant and take steps to protect themselves.”
It then flagged its own security on its email service, noting that all Microsoft customers can see a log of efforts to access their email, and flag a special “AccountGuard” service it runs for anyone that is “part of a political campaign, a political party committee or an NGO or think tank working on issues related to democracy.”
Redmond said that 60,000 accounts in 26 countries have the additional protection and to date it has issued 800 notifications of Office 365 users of attempted nation-state attacks.
The timing of the announcement has come at an increasingly interesting time with impeachment proceedings against President Trump for soliciting foreign help with a political rival.
FBI called in to investigate 2018 Mountain State mobile voting system hackingREAD MORE
Last night, Trump’s insistence that he had not sought a “quid pro quo” in which the Ukranian government agreed to investigations in return for US security funding and a visit to the White House was directly questioned when text messages between senior diplomats were published in which they explicitly and repeatedly indicated exactly that.
That revelation came just hours after Trump responded to widespread criticism of his actions in repeatedly asking Ukraine’s president to investigate Joe Biden’s son by publicly asking China to do the same in front of TV cameras.
While much of Washington, including the media, seemed caught up in soap operatics, security professionals continue to plead with everyone to take the issue of foreign intervention in US elections more seriously.
Microsoft’s announcement this morning highlights again that hostile nations are investing significant energy and resources into disrupting American elections by stealing and weaponizing private information. ®