Microsoft Seizes Malicious Iranian Hacker Websites

Recently unsealed court documents reveal a court order giving Microsoft authority to seize and shutdown 99 websites used by Iranian hackers.

Microsoft’s Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013, according to Tom Burt, corporate vice president, customer security and trust, at Microsoft. The nation-state attacks targeted businesses and government agencies as well as activists and journalists advocating or reporting on Middle East issues.

These attacks were done under the guise of the Microsoft brand.

SiteLock’s Monique Becenti

“By posing as Microsoft properties – LinkedIn, HotMail and OneDrive – the Iranian hackers not only accessed the private information of unknowing Microsoft users, they also stole priceless consumer trust,” said Monique Becenti, channel and product specialist at SiteLock.

“This is the most recent example in a growing trend of nation-state actors posing as trusted brands,” she added. “It’s often recommended that consumers only share personal information and passwords with known or reputable sites, but hackers are going as far as impersonating people in our personal networks to pull users to these malicious sites.”

The Iranian group of malicious hackers largely is known as Phosphorus but also operates as APT 35, Charming Kitten, and Ajax Security Team. Phosphorus is best known for spear phishing and fake account forms to collect user credentials. Both forms of attacks use websites that appear to be from well-known brands such as Microsoft. The websites Microsoft seized were fake Microsoft websites.

“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our digital crimes unit’s sinkhole. The intelligence we collect from this sinkhole will be added to MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers,” said Burt.

Burt said Microsoft also is working with other technology firms such as Yahoo. The companies share threat information and work together to stop attacks and the hackers behind them.

The joint effort is older than this last instance.

Microsoft’s Tom Burt

“Our case against Phosphorus is similar to cases we’ve filed against another threat group called Strontium. We have used this approach 15 times to take control of 91 fake websites associated with Strontium,” said Burt.

The legal filings in Microsoft’s case against Phosphorus can be found here.

The need for more ways to successfully stop attacks grows every day. Nation-state attackers in particular have deep pockets and seemingly unending resources making it that much harder for commercial enterprises to stop the attacks.

“This is the second time Microsoft has had a run-in with nation-state cybercriminals and it goes to show that even one of the biggest and most sophisticated technology companies in the world can’t prevent these types of attacks,” said Becenti.

“These attacks are becoming increasingly complex and evolving at a fast rate,” she said. “It’s time to reassess how much care and priority website security gets. While often viewed as the low-hanging fruit of political espionage, infected websites can easily create distrust and chaos in the political process. Bad actors know websites are often the weakest link and have infiltrated this time and time again.”

While success stories like this typically are met with celebration – and rightly so – there is an ethical concern brewing in the minds of some.

“Microsoft’s decision to seize the websites also raises another question — is this an abuse of power? If this were any other tech company, would the judge grant the same response? This could lead us down a slippery slope … and the potential consequences of big tech overreach are hard to overstate,” said Becenti.