X

Microsoft Reports On Cyber Attacks Targeting US November Elections; Iran Is Major Player

October 14th, 2020 06:28

In Sep­tem­ber, Microsoft report­ed on cyber-attacks it has detect­ed tar­get­ing peo­ple and orga­ni­za­tions involved in the upcom­ing Novem­ber pres­i­den­tial elec­tion. Accord­ing to the report, three groups from Rus­sia, Chi­na, and Iran were involved iden­ti­fied as: 

  • Stron­tium, oper­at­ing from Rus­sia, has attacked more than 200 orga­ni­za­tions includ­ing polit­i­cal cam­paigns, advo­ca­cy groups, par­ties, and polit­i­cal consultants
  • Zir­co­ni­um, oper­at­ing from Chi­na, has attacked high-pro­file indi­vid­u­als asso­ci­at­ed with the elec­tion, includ­ing peo­ple asso­ci­at­ed with the Joe Biden for Pres­i­dent cam­paign and promi­nent lead­ers in the inter­na­tion­al affairs community
  • Phos­pho­rus, oper­at­ing from Iran, has con­tin­ued to attack the per­son­al accounts of peo­ple asso­ci­at­ed with the Don­ald J. Trump for Pres­i­dent cam­paign 

It should be not­ed that in August 2020, the U.S. Department of Defense named Rus­sia, Chi­na, and Iran as the main play­ers which cyber experts are look­ing at con­cern­ing the Novem­ber elec­tion. A US Nation­al Secu­ri­ty Agency elec­tion secu­ri­ty spe­cial­ist report­ed­ly said dur­ing a recent pan­el that “Iran is also get­ting into the influ­ence game…and is learn­ing from what oth­er adver­saries are doing.” A Reuters inves­ti­ga­tion has found more than 70 web­sites that push Iran­ian pro­pa­gan­da to 15 coun­tries, in an oper­a­tion that cyber­se­cu­ri­ty experts, social media firms and jour­nal­ists are only start­ing to uncov­er.  

Var­i­ous media out­lets and think-tanks pre­vi­ous­ly looked at the Iran­ian group Phos­pho­rous:

  • Accord­ing to a cyber­se­cu­ri­ty web­site, the group is also named APT 35, Charm­ing Kit­ten and Ajax Secu­ri­ty Team. It report­ed­ly works for Iran­ian Intel­li­gence and has a his­to­ry of infil­trat­ing gov­ern­ment net­works of adver­saries in the past.
  • The Brook­ings Insti­tute, a U.S. think-tank, noted that Phos­pho­rous has been asso­ci­at­ed with phish­ing attacks, in which the email appears to come from an antivirus email but is actu­al­ly laced with malware.
  • In 2019 Reuters not­ed that over 30 days in August and Sep­tem­ber, Phos­pho­rous made more than 2,700 attempts to iden­ti­fy con­sumer accounts, then attacked 241 of them. 
  • An analy­sis by the Unit­ed States Insti­tute of Peace (USIP) said Phos­pho­rous was behind an Octo­ber 2019 failed attempt to breach accounts con­nect­ed with Pres­i­dent Trump’s re-elec­tion cam­paign as well as the accounts of jour­nal­ists and U.S. officials.

The same USIP report also named Phos­pho­rous as among five known Iran­ian hack­er groups that also included:

  • Izz ad-Din al-Qas­sam Cyber Fight­ers – This group claimed respon­si­bil­i­ty for the DDoS cyber­at­tacks against U.S. finan­cial insti­tu­tions in Sep­tem­ber 2012. The same month, Sen. Joe Lieber­man claimed that the group was con­nect­ed to the IRGC’s elite Qods Force.
  • APT33 (aka Elfin, Refined Kit­ten, Holmi­um) – This group car­ried out cyber espi­onage oper­a­tions against avi­a­tion, mil­i­tary, and ener­gy tar­gets in the Unit­ed States, Sau­di Ara­bia and South Korea. Cyber­se­cu­ri­ty firm Fire­Eye linked APT33 to the Iran­ian government.
  • Oil­Rig – This group focused on pri­vate indus­try tar­gets out­side of Iran, most famous­ly hack­ing Shel­don Adelson’s Las Vegas Sands Cor­po­ra­tion in Feb­ru­ary 2014. The group was, in turn, hacked by Turla, a Russ­ian FSB-asso­ci­at­ed group. The Rus­sians used the hijacked group to hack tar­gets in the Mid­dle East and the Unit­ed King­dom, accord­ing to U.S. and British offi­cials in Octo­ber 2019.
  • Iran­ian Dark Coders Team – This hack­ing col­lec­tive pri­mar­i­ly focused on cyber-van­dal­ism. It defaced Amer­i­can and Israeli web­sites with pro-Hezbol­lah and pro-Iran pro­pa­gan­da in 2012. The group has not been tied to the Iran­ian gov­ern­ment and may con­sist of free­lancers or crim­i­nal ele­ments. 

The GIOR report­ed ear­li­er on FBI indict­ments of deven Iran­ian hack­ers charged in con­nec­tion with yber intru­sions and fraud, van­dal­ism of U.S. web­sites, and intel­lec­tu­al prop­er­ty theft from U.S. aero­space and satel­lite tech­nol­o­gy companies.