Microsoft disclosed Oct. 4 that hackers believed to be backed by the Iranian government tried to breach email accounts of a U.S. presidential campaign and several current and former U.S. government officials, at a time of already inflamed tensions between the two nations.
Over a 30-day period in August and September, the Microsoft Threat Intelligence Center observed 2,700 attempts to identify email accounts belonging to Microsoft customers, according to a blog post from Microsoft’s Corporate Vice President of Customer Security and Trust Tom Burt. The hackers subsequently launched attacks against 241.
Burt wrote that four accounts were compromised as a result, but not those of the campaign or U.S. government officials. Microsoft attributed the attacks to a group it calls “Phosphorous,” which it says it believes is associated with the Iranian government.
“The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran,” wrote Burt.
Microsoft did not disclose the campaign or the officials targeted. The New York Times reported that the attack was on President Donald Trump’s campaign.
Jon Bateman, a fellow in the Cyber Policy Initiative at the Carnegie Institute for International Peace and former special assistant to former chairman of the Joint Chiefs of Staff Gen. Joseph Dunford, said that the attacks on the government officials are “completely routine activity,” because of Iran’s interest in U.S. policymakers’ decision-making.
“The goal is to get any kind of behind-the-scenes insight that you can then integrate with other types of intelligence or open-source information to find out what the U.S. is thinking or doing,” Bateman told Fifth Domain.
On the campaign front, Iran is most likely trying to collect intelligence on the potential future of U.S. policy toward the country, Bateman said, though he noted it is difficult to specifically attribute motives.
“Iran may want to know what U.S. presidential candidates are thinking about on issues important to Iran, such as the nuclear deal, sanctions, tensions with Saudi Arabia, regional issues like Syria and Yemen ... it can [be] an attempt to better understand the direction of future policy," said Bateman.
Phosphorous tried to compromise the accounts by researching its targets in an effort to “game” the password reset or account recovery to take over the account, Burt wrote.
“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Burt explained. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”
The attacks were not sophisticated, he wrote, but the group’s use of personal information to identify and attack accounts was significant.
“This effort suggests Phosphorous is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering," Burt wrote.
Put another way from Bateman: “They can afford to pay someone a salary and sit at a keyboard for eight hours a day to see if they can make progress against the target over time.”
Top U.S. officials across the government have been warning for a long time that nation-state actors beyond the Russian government were preparing cyberactivity against the 2020 election. Microsoft’s disclosure of the intrusion attempts comes in a moment of tense relations between the United States and Iran after a summer of kinetic and cyberattacks against military infrastructure, and just weeks after Iran allegedly launched a drone attack against Saudi Arabian oil facilities.
“I view this as one more indicator of continued nation-state interest in the U.S. 2020 election and further need for a reset of the dialogue on this issue,” said John Dickson, principal at Denim Group, a cybersecurity company. “There is broad consensus that the Russians were heavily involved in manipulating the 2016 election. Given the mixed response on our side, the Russians and other nation states will continue to probe and conduct similar reconnaissance in preparation for any major interference operations in 2020."
Jamil Jaffer, vice president of strategy and partnerships at IronNet Cybersecurity, said Iran “continues to be undeterred” from actions against the United States. Several sources said that the United States needed to take action to punish the regime for its actions both in and out of cyberspace.
“If the U.S. is to limit Iran’s effort against the United States and its allies we need to impose consequences for this type of behavior,” said Jaffer.
Several sources who spoke with Fifth Domain applauded Microsoft for publicly disclosing the attack by the Iranians. Microsoft said it was disclosing the attacks in an effort to be “increasingly transparent about nation-state attacks and efforts to disrupt democratic processes.”
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.