- The group has many names, like Phosphorus, APT35 and Charming Kitten
- They used malicious software disguised as trustworthy websites to access personal information of users
Microsoft said it seized 99 websites used by Iranian hackers to steal sensitive information and launch other cyberattacks.
The company said the group, which it has been tracking since 2013, has tried to snoop on activists, journalists, political dissidents, defense industry workers and others in the Middle East, including some who were “protesting oppressive regimes” in the region.
Hackers did so by tricking people in those organizations to click on malicious links disguised to resemble well-known brands, including Microsoft and its LinkedIn, Outlook and Windows products, Microsoft said in court filings.
Wednesday’s announcement tied the hackers to the country of Iran but not specifically to its government. A spokesman for Iran’s mission to the United Nations didn’t respond to an email and phone call seeking comment Wednesday. Iran has denied involvement in other hacking efforts identified by Microsoft.
Microsoft calls the hacking group Phosphorus, while others call it APT35 or Charming Kitten.
Allison Wikoff, a security researcher at Atlanta-based Secureworks, said it is one of the “more active Iranian threat groups” she has observed. She said Microsoft’s takedown was a big win using a practice known as “sinkholing,” which involves taking over adversary domains and analyzing their traffic to protect against future attacks.
Microsoft sued the hacking group in US District Court in Washington this month and described a hacking operation that “demonstrates skill, patience and access to resources.”
The hackers’ malicious software, according to the lawsuit, “effectively morphs the trusted, Microsoft-trademarked Windows system into a tool of deception and theft.”
Microsoft said the group typically tries to infiltrate a target’s personal accounts, not their work accounts, by luring them into clicking on a link to a compromised website or opening a malicious attachment.
Hackers, the company said, used fake domain names that resembled Microsoft and other well-known brands. They also created fake social media profiles to target people. Microsoft said hackers were damaging the company by breaking into its customers’ online accounts and computer networks.
US District Judge Amy Berman Jackson sided with the company in a March 15 ruling, arguing that there was good cause to believe the hacking activity was harming the company, its customers and the public. The documents were unsealed Wednesday.
Microsoft has taken hacking groups to court before. The Redmond, Washington, company used a similar strategy in 2016 to seize fake domains created by Russia-backed hackers who were later found to have been meddling in the US presidential election.