SEATTLE — An effort believed to be tied to the Iranian government attempted to identify, attack and breach email accounts belonging to a U.S. presidential campaign, government officials and journalists, according to new data unveiled by Microsoft, highlighting the continued global security threats that loom over the fast-approaching 2020 election.
The intrusion observed by Microsoft, spearheaded by an outfit it calls Phosphorus, made more than 2,700 attempts to identify personal email addresses that belonged to the company’s customers over a 30-day period between August and September, 241 of which were then attacked. Four were compromised, but they do not belong to the presidential campaign or government officials, according to the tech giant.
Reuters and other news media outlets reported Friday that the hackers targeted President Trump’s campaign.
Microsoft said it notified the customers attacked and has worked with those whose accounts were compromised to secure them. It declined to disclose the names of the account holders, including the presidential campaign that had been targeted. Microsoft declined to comment beyond a blog post disclosing the news Friday.
Tim Murtaugh, a spokesman for President Trump’s 2020 campaign, said he has “no indication that any of our campaign infrastructure was targeted.” Asked to clarify whether Microsoft had contacted the campaign about Iranian targeting of either the campaign or campaign personnel’s personal email accounts, Murtaugh said: “We have no further comment.”
The news Friday is the latest reminder that the U.S. is likely still vulnerable to security threats when it comes to the 2020 presidential election. Tech giants like Facebook and Twitter, as well as politicians and security officials have all made the next presidential election a priority as they race to combat hackers — some of whom are working for foreign governments.
Still, recent technology developments like increasingly realistic “deepfake” or otherwise manipulated videos have many cybersecurity experts concerned about how hackers might be able to manipulate public perception in the way the Russians did in 2016.
During the last presidential election, U.S. officials uncovered a sprawling effort backed by the Kremlin to trigger social and political unrest on major social media sites. Russian hackers also targeted Democratic candidate Hillary Clinton by hacking the emails of one of her top lieutenants, the contents of which were later dumped on Wikileaks.
Since then, other countries have come to adopt more of Russia’s playbook, including Iran, which for years has targeted U.S. officials through “large-scale intrusion attempts,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. But Iran only has become more aggressive recently in response to President Trump, he said, who has imposed massive sanctions and pulled out of an international deal over the country’s nuclear program.
“The Iranians are very aggressive, and they could leverage whatever access they get for an upper hand in any kind of negotiations,” Hultquist added. “They could cause a lot of mayhem.”
Other tech companies also have been warning about the rising Iranian threat, largely out of concern that malicious actors originating in the country were spreading disinformation online. In May, for example, Facebook and Twitter said they had removed a sprawling Iranian-based propaganda operation, including accounts that mimicked Republican congressional candidates and appeared to try to push pro-Iranian political messages on social media. Some of those accounts similarly took aim at U.S. policymakers and journalists, researchers said at the time.
Private-sector analysts have documented a gradual increase in cyber activity by Iran and its proxies targeting U.S. industry since 2014, and especially in the last year. It has often come in the form of targeted phishing attempts seeking access to computer systems in the energy sector.
Christopher Krebs, director of DHS’ Cybersecurity and Infrastructure Security Agency, said in a statement that the agency is working with Microsoft “to assess and mitigate impacts.
“While much of this activity can likely be attributed to run-of-the-mill foreign intelligence service work, Microsoft’s claims that a presidential campaign was targeted is yet more evidence that our adversaries are looking to undermine our democratic institutions,” he said in the statement. He urged Americans to be on their guard.
In June, Krebs told The Washington Post that “Iranian hackers and their proxies “are not just garden-variety run-of-the-mill data thieves,” he said. “These are the guys that come in and they burn the house down.” He urged companies and organizations to take computer security seriously.
Microsoft software is present in far more computers around the world than U.S. law enforcement and intelligence agencies, giving the company a broader window into the threat than government authorities.
The Democratic National Committee warned campaigns about the Phosphorus attacks Tuesday, noting that the group has been targeting personal and professional email accounts. The DNC recommended that members review logs for connection attempts in August and September.
“They create believable spear phishing emails and fake LinkedIn profiles as primary tactics,” according to the email from the DNC obtained by The Post. Microsoft also owns the LinkedIn professional social network.
Spokespeople for Democratic candidates including Sens. Elizabeth Warren, D-Mass., and Cory Booker, D-N.J., did not immediately respond to requests for comment. Spokespeople for former vice president Joe Biden and Sen. Bernie Sanders, I-Vt., declined to comment. Ian Sams, a spokesman for Sen. Kamala Harris, D-Calif., said he had “no indication that our campaign is the one Microsoft referenced or that we have been targeted by this attack.”
To target political and government officials’ emails, Phosphorus hackers tried to figure out how to reset passwords or otherwise trigger account recovery features to take over accounts, Microsoft said. In some instances, Microsoft found that the group gathered phone numbers belonging to its targets to try to authenticate password resets.
The attacks were not “technically sophisticated,” Microsoft’s vice president of customer security and trust, Tom Burt, wrote in the blog post. But he noted that they used significant amounts of the targets’ personal information, suggesting that Phosphorus was willing to invest “significant time and resources engaging in research and other means of information gathering.”
This isn’t Microsoft’s first brush with Phosphorus. The company, which names hacking groups after elements on the periodic table, seized 99 websites in March it said were used by the group to launch cyberattacks against government agencies, businesses and users in Washington. Microsoft said it had been tracking the group for six years. Other researchers have tagged the group Ajax Security Team, APT 35 and Charming Kitten.
At the time, Microsoft said Phosphorus had targeted activists and journalists, “especially those involved in advocacy and reporting on issues related to the Middle East.”
Phosphorus used the websites Microsoft seized this spring to trick visitors into downloading malicious software that appeared authentic. But that was only one of the group’s tactics. In Phosphorus’s latest attempts, the group tried to trick users into give up codes that are used for two-factor authentication.
The fact that these attacks rely on social engineering, rather than technical skill, makes them particularly difficult to thwart. Tech giants can often detect digital anomalies intended to undermine email and server software. But it’s much harder to use algorithms to detect phishing attempts aimed at tricking users. In May, Microsoft offered software to federal campaigns and national political committees to help prevent such breaches.
Allison Wikoff, a researcher with Atlanta-based Secureworks who has conducted previous analysis on Phosphorus, said Microsoft’s report marked the first public disclosure of attempted intrusion on a 2020 presidential campaign. It is possible, however, that similar activities have unfolded but gone unobserved, she noted.
The level of research that went into identifying targets, as social media and other tools become more and more central to the tactics of the suspected hackers, was particularly noteworthy, Wikoff said.
“This group and other Iranian groups are very focused on the credentials of particular people of interest, whether they be U.S. government officials or people working for other types of companies that may be of strategic interest to the Iranian government,” Wikoff said.
The Washington Post’s Isaac Stanley-Becker contributed to this report.
Send questions/comments to the editors.