Hackers backed by the Iranian government recently tried to hack email accounts used by the campaign of a US presidential candidate, a Microsoft official said on Friday.
The “Phosphorous” hackers, as Microsoft has named the group, targeted the unidentified campaign by attempting to access email accounts campaign staff received through Microsoft cloud services. Rather than relying on malware or exploiting software vulnerabilities, the attackers worked relentlessly to gather information that could be used to activate password resets and other account recovery services Microsoft provides.
The attacks on the campaign were part of a major offensive by Phosphorous that—over a 30-day period from August to September—made more than 2,700 attempts to identify consumer email accounts belonging to targeted individuals. Besides campaign staff, targeted accounts also belonged to current and former US government officials, journalists covering global politics, and prominent Iranians living outside of Iran. Of the more than 2,700 attempts to identify accounts, 241 of them were attacked. The attacks resulted in the successful compromise of four accounts, none of which belonged to the campaign.
“While the attacks were disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks,” Tom Burt, Microsofts corporate vice president of customer security and trust, wrote in a post. “This effort suggests Phosphorous is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering.”
According to Burt, heres how the account takeover attempts worked:
Phosphorous used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a users Microsoft account, then attempt to gain access to a users Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.
In July, Microsoft said that in the previous 12 months, it notified almost 10,000 customers that they had been targeted or compromised by nation-sponsored hackers. Chief among the hacking groups were Holmium and Mercury, both of them codenames for distinct groups backed by Irans government. Other attacks were sponsored by the governments of Russia and North Korea. About 84 percent of the attacks targeted large “enterprise” organizations such as corporations, with the remaining 16 percent hitting consumers.
Gird your loins
Burt on Friday called on Microsoft customers to enable two-step verification (2SV) to protect their accounts. The most robust form of 2SV requires users to have a physical security key such as a Yubikey from Yubico. Before an account can be accessed from a new computer or phone, the user must plug the key into a USB slotRead More – Source