Microsoft: Iranian hacking group targeting attendees of major international security conferences

Microsoft on Wednesday reported that an Iranian hacking group had attempted to target high-ranking attendees of international security conferences, including the upcoming Munich Security Conference. 

Tom Burt, the corporate vice president of Customer Security and Trust at Microsoft, wrote in a blog post that the Iranian hacking group known as “Phosphorus” had “masqueraded” as conference organizers in order to target around 100 high profile individuals who are set to attend the Munich Security Conference or the Think 20 (T20) Summit in Saudi Arabia.

The hacking group sent phishing emails, written in English, inviting recipients to attend the conferences and giving details on travel logistics and potential remote sessions. According to Burt, the group was able to successfully compromise the accounts of “several victims,” including those belonging to former ambassadors and other foreign policy experts. 

“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” Burt wrote. “We’ve already worked with conference organizers who have warned and will continue to warn their attendees, and we’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events.”

The annual Munich Security Conference is due to take place over three days in February next year, while the T20 Summit will take place beginning later this week. 

While the schedule for next year’s Munich Security Conference has not yet been announced, 2020 participants included high-ranking leaders from all over the world, including French President Emmanuel Macron, Canadian Prime Minister Justin Trudeau, Secretary of State Mike Pompeo and Speaker Nancy Pelosi (D-Calif.). 

Microsoft disclosed last year that the Phosphorus group, which the company believes is tied to the Iranian government, had targeted and attacked hundreds of Microsoft accounts, including accounts used by staffers of an unnamed presidential campaign. 

Reuters later reported that the campaign targeted was President Trump’s reelection campaign, though a Trump campaign spokesperson told The Hill at the time that there was “no indication” that any campaign infrastructure was targeted. 

Burt emphasized Wednesday that the new activity was not “tied to the U.S. elections in any way.”

Microsoft warned in September that it was seeing a spike in nation-state cyber targeting of U.S. public policy groups and organizations involved in COVID-19 research. Burt pointed to this assessment Wednesday in urging groups to stay on guard against malicious cyber targeting.

“We will continue to use a combination of technology, operations, legal action and policy to disrupt and deter malicious activity, but nothing replaces vigilance from people who are likely targets of these operations,” Burt wrote.