As America hurtles toward another presidential election, the threat of Russian hacking, meddling, and general deleterious behavior has occupied the minds of US government officials and average voters alike. But on Friday, Microsoft sounded an alarm that serves as a timely reminder that Russia doesn't have a monopoly on election hacking. In an aggressive new email phishing push, the company says, Iranian hackers targeted a US presidential campaign.
Microsoft wouldn't say which candidate's operations the Iranian assailants hit, but Reuters reported on Friday that the target was President Donald Trump's reelection campaign, which is known to use Outlook as its email provider. Microsoft noted that the attacks on the campaign did not succeed. In a 30-day stretch during August and September, Microsoft saw hackers launch 2,700 attempts to identify specific target email accounts, including those belonging to current and former US government officials, journalists, and Iranians living outside Iran. They ultimately attacked 241 of those and successfully compromised four—none of which were associated with the US presidential candidate or government officials. Microsoft has notified the victims.
Microsoft calls the Iran-linked hacker group Phosphorous and has tracked its activity in the past. The group is also known as APT 35 and Charming Kitten. In March, unsealed court documents revealed that Microsoft had obtained a court order to take over and dismantle 99 websites the group had used to launch its attacks.
"While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks," Tom Burt, Microsoft's corporate vice president of customer security and trust wrote in the report on Friday. "It is important that we all—governments and private sector—are increasingly transparent about nation-state attacks and efforts to disrupt democratic processes."
The Iranian group's tactics may not involve cutting-edge digital hacking tools, but tailored phishing attacks were, after all, how Russia got access to sensitive documents from both the Democratic National Committee and Hillary Clinton's presidential campaign in 2016. Charming Kitten is known for conducting careful research on its targets, crafting tailored phishing campaigns, and hoarding the login credentials it nabs in its attacks. The group is consistently active, but in the past researchers have noticed that it goes through quieter periods, perhaps while planning hacking campaigns, followed by bursts of activity. In October 2018, for example, Charming Kitten launched a series of attacks against US Treasury officials, diplomatic groups, and Washington, DC, think tanks.
Microsoft says that in the campaign it observed, Charming Kitten used personal details about the targets—including phone numbers and secondary email addresses—to try to reset passwords and take over accounts.
Iranian hackers have gradually ramped up their activity against US targets roughly since October 2017, when Trump first announced that he would not recertify Iran’s cooperation with the 2015 Obama administration's nuclear agreement. But over the past few months, tensions between the two countries have escalated even more, fueling combative rhetoric from Trump and cyberaggression on both sides.
More troublingly, the attack drives home the point that experts have long warned about: Russia's not the only country interested in interfering in the 2020 US election.
"Due to the success of the Russians in the 2016 US election, their model is being emulated across the globe," says Jeff Bardin, chief intelligence officer of the cybersecurity intelligence firm Treadstone 71, which monitors Iranian hacking activity. "In terms of who Iran might target in the US, you would have to ask yourself what candidate or candidates would best suit Iranian needs as a president of the United States. And the interesting thing with that is that Iran's effort would likely be counter to the efforts of Russian cyber-operations and those of other countries. So what you end up having is the potential for numerous massive attempts to manipulate the American voter that may turn to absolute noise and contradictory data."
In 2016, then-candidate Trump actively called on Russia to hack his general-election opponent, Hillary Clinton. But the apparent Iran targeting shows what experts in international affairs and cybersecurity alike have tried to convey since 2016: No candidate is immune from all digital attacks as a result of their ideological views.
Russia's tactics alone sowed uncertainty and damaging doubt about the reliability of US elections after the 2016 season. With the 2020 elections rapidly approaching, the threat of adding even more cooks into that kitchen is very real.
Updated October 4, 2019, 4:00 pm ET, to include a Reuters report that the Trump campaign was the unnamed phishing target.