Microsoft says Iranian hackers targeted high profile international conference attendees for intelligence collection purposes. The company reported that the Iranian advanced persistent threat (APT) group impersonated conference organizers and sent fake invitations using spoofed emails.
Microsoft has tracked the threat actor since 2013, accusing it of targeting journalists, political dissidents, activists, defense industry workers, prominent Iranians living abroad, and others in the Middle East.
The group has also targeted politicians, including U.S. presidential hopefuls. Microsoft reported that several high-ranking officials’ accounts were compromised.
Iranian hackers on intelligence collection mission
The hacking attempts implicated Iranian hackers identified as Phosphorus, APT35, or Charming Kitten. Microsoft’s security chief, Tom Burt, confirmed that “Phosphorus is engaging in these attacks for intelligence collection purposes.”
The hackers targeted over 100 high profile individuals expected to attend the Munich Security Conference and Think 20 Summit in Germany and Saudi Arabia.
Attendees of the Munich Security Conference details include Canadian Prime Minister Justin Trudeau, French President Emmanuel Macron, the U.S. Secretary of State Mike Pompeo, and Speaker Nancy Pelosi (D-Calif.). It’s unclear whether the Iranian hackers targeted any of these individuals.
Microsoft disclosed that the attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their home countries. However, the company did not disclose the nationalities of the affected individuals during the intelligence collection campaign.
Phosphorus also attempted to dupe former government officials, policy experts, and academics in its intelligence collection efforts.
Microsoft noted that the Iranian hackers crafted the emails “in perfect English” to dupe the high-profile individuals.
The hackers provided details such as the available remote sessions and travel logistics. The attackers would then trick the victims into entering their login details into a fake login…