Phosphorus (Iran): Phosphorus, a known Iran-backed threat actor was seen carrying out cyber-attacks trying to collect information about the upcoming U.S. presidential elections, according to Microsoft. Throughout 30 days between August and September 2019, 2,700 attempts were made by the group to identify emails of Microsoft users, and 241 Microsoft accounts were attacked in the process. The accounts that were targeted are associated with the presidential campaign in some way, whether they are people that work for the campaign, current or former politicians, government officials, or journalists reporting on world events surrounding Iran. Phosphorus managed to compromise four of the accounts, none of which were associated with the election, according to Microsoft. The threat actor was attempting to gain access to the secondary email that was being used by the victims, likely to use it to bypass two-factor authentication. These attacks that were seen by Microsoft were not sophisticated in any way, and for the time being, seemed to be more about collecting information versus exploiting stolen information.
Analyst Notes
The group seems very persistent in their efforts, and it is not believed that this will be the only attack they will carry out around the election. Now that this attack has been exposed, there is a chance the group may move to a more sophisticated attack style. Attacks around election time have primarily been seen by Russia in the past, but because of the current state of the relationship between Iran and the US, these attacks are no surprise. Microsoft has alerted the affected account holders and released a statement explaining that anyone who is associated with the upcoming presidential election in 2020 is eligible to get AccountGuard from Microsoft for free.
