Iranian APT Group Hacked Security Conference Attendees

Recently, in one of the reports, Microsoft asserted that they had detected some Iranian APT Phosphorous threat actors have hacked over 100 high-profile potential attendees of two international security and management conferences.

Microsoft has already started their work to stop the group of cybercriminals, as they are masquerading as organizers and targetting more than 100 high-profile individuals who belong to the conference organizers.

According to the report that has been affirmed by Microsoft, the Iranian hackers have successfully negotiated attendees of two global conferences. These global conferences include ambassadors and senior policy specialists.

However, the threat actor’s main motive was to steal all possible email credentials of the attendees. That’s why the threat actors have targeted the Munich Security Conference, as it is one of the most important gatherings on security for leaders of state and other world leaders.

This conference is being held annually for nearly 60 years, so T20 is a remarkably visible event that develops different policy ideas for the G20 nations and notifies all their significant studies.

Attacks not linked to the U.S. elections

The hackers are stealing all the organizers’ email credentials; that’s why the threat actors sent spoofed email offers between February and October 2020 to the former government executives, policy experts, academics, and officers from non-governmental foundations.  

Microsoft stated that the hackers were using accurate English in the spoofed emails and were masquerading as organizers of the Munich Security or the Think 20 (T20) conferences. On the other side, Brute, one of the security experts said that based on the current analysis, they do not believe that this activity is tied to the U.S. elections in any way.

Not only this, but Microsoft also affirmed that Phosphorus threat actors were spotted during May and June 2020 as they are trying to log into the accounts of both Trump campaign partners and U.S. admin leaders without much benefit.

Fake emails

The emails that are sent by the threat actors have come from fake conference organizers utilizing the email addresses:-

  • t20saudiarabia[@]outlook.sa
  • t20saudiarabia[@]gmail.com
  • munichconference[@]outlook.com

The threat actors use those credentials to log into the victims’ mailbox, to collect additional sensitive data, and thrust more such malicious attacks. The Iran-linked Phosphorus hacking group has conducted several waves this year by targeting both Trump and Biden’s campaign staffers with phishing attacks.

Attendees who might have been targeted in these initiatives are recommended to analyze and recheck any email-forwarding rules. By doing this, they can find any place that might have ones set during a successful hack of their email accounts.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.