Microsoft Corp. has warned that an Iranian-linked advanced protection threat group is targeting attendees of the forthcoming 2021 Munich Security Conference.
The annual event, run since 1963, is an international security conference that attracts senior decision-makers and thought leaders, including heads of state, ministers and leading personalities from international and nongovernmental organizations.
In a blog post today, Tom Burt, corporate vice president for customer security and trust at Microsoft, said it detected and worked to stop a series of cyberattacks targeting the conference and its attendees from the Phosphorous APT group. The Iranian group was most recently linked to hacking attempts targeting both the Trump and Biden U.S. presidential campaigns Oct. 6.
The Phosphorous group is also said to be targeting attendees of the Think 20 Summit in Saudi Arabia as well, an official G20 summit that attracts heads of government, ministers and other senior officials.
The attackers have been sending possible attendees spoofed invitations by email. The emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organizations. Phosphorus even assuaged fears of travel during the COVID-19 pandemic by offering remote sessions.
“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” Burt wrote. “The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”
Microsoft is working with conference organizers to warn attendees of the hacking campaign.
“The Iranians have a long tradition of sending targeted emails to senior officials at key national security institutions,” Jonathan Reiber, senior director of cybersecurity strategy and policy at cybersecurity firm AttackIQ Inc., told SiliconANGLE. “They’re talented at it; the emails are often tailored to the individual, come from an address that appears like the name of an official the target individual would know and contain fake PDFs that would be of interest to the individual.”
Unfortunately, he said, it appears the operations may have succeeded in accessing information from several attendees that have a hand in foreign policies in their countries. “The more data a hostile actor can steal, the better informed they are for future operations, which could be leaks for disinformation and influence operations, targeted financial theft or more,” he said. “The biggest concern is that by gaining access to senior leaders’ personal information they will be able to escalate access privileges and gain access to critical security information at the leaders’ institutions.”
James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc. noted that the mailing lists for previous conferences could have been collected via a data breach or other theft and the cybercriminals are using those lists to target the users specifically.
“The user may feel more relaxed and not scrutinize the email, as it appears to come from a trusted source, especially if he or she had previously attended the conference,” he said. “End-users receiving these types of emails will want to make sure they know the social engineering scams and techniques used by cybercriminals.”
Source » siliconangle