Microsoft has taken over the infrastructure of an attack group known as Phosphorus or APT35 that is responsible for hacking and spear-phishing campaigns against a wide range of individuals and organizations, including activists, defense companies, and journalists.
As part of the takedown, Microsoft obtained a court order to assume control of 99 domains that the Phosphorus group used in its campaigns. Many of those domains were made to look like they belonged to Microsoft or other tech companies, such as outlook-verify.net and verification-live.net. The attackers used highly targeted phishing emails with links that lead to malware installation and the domains Microsoft took over were used in the phishing campaigns and as part of the command-and-control infrastructure of the group. Microsoft officials said the Phosphorus group is tied to Iran.
“Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013. Its activity is usually designed to gain access to the computer systems of businesses and government agencies and steal sensitive information. Its targets also include activists and journalists – especially those involved in advocacy and reporting on issues related to the Middle East,” Tom Burt, Microsoft corporate vice president for customer security and trust, said.
“Phosphorus typically attempts to compromise the personal accounts of individuals through a technique known as spear-phishing, using social engineering to entice someone to click on a link, sometimes sent through fake social media accounts that appear to belong to friendly contacts. The link contains malicious software that enables Phosphorus to access computer systems. Phosphorus also uses a technique whereby it sends people an email that makes it seem as if there’s a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems.”
Although spear phishing is one of the older and more common attack techniques and is used by any number of low-level cybercrime groups and lone thieves, it’s also commonly used by much more sophisticated and well-funded teams. Many APT groups rely on spear phishing in their campaigns for a number of reasons, but mostly because it works. In the case of Phosphorus, the group used simple but highly effective phishing emails to lure victims into clicking on a malicious link or entering their own credentials on a fake webpage.
“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit’s sinkhole.”
“When a victim clicks on the link in the email, his or her computer is connected with the Phosphorus-controlled website. The victim is then presented a copy of a webpage that appears to be a login page for a webmail provider of which the victim is a subscriber. In fact, this is a fake login page that is designed to induce the user to type in their webmail credentials. If the victim enters the correct credentials, at that point Phosphorus obtains the user’s credentials and can thereafter access the users’ webmail account to steal email content and other information,” the Microsoft court filing says.
The Phosphorus group has been active for at least five years, according to researchers, and it’s known to target several different types of organizations and individuals, such as government employees, journalists, political dissidents, and employees of companies in the defense industry. Microsoft and other researchers have been following the group’s activities for several years, and Microsoft decided to go after Phosphorus because of the effect the group’s attacks were having on the company and its customers.
“While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations. Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure,” Burt said.
“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit’s sinkhole.”
Microsoft has used this technique of court orders, domain takeovers, and sinkholing to target many other attack groups over the years, and it has proven quite effective. Last year, just before the mid-term elections, Microsoft took over several domains used by the APT28 group also known as Fancy Bear, which is tied to the Russian government.