[BreachExchange] Microsoft Hails “Significant” Disruption of Iranian APT Group
Destry Winant
destry at riskbasedsecurity.com
Mon Apr 1 09:09:40 EDT 2019
https://www.infosecurity-magazine.com/news/microsoft-significant-disruption-1/
Microsoft is claiming its attempts at disrupting a well-known Iranian
state-sponsored APT group have had a “significant impact.”
Unsealed court documents reveal the work of Microsoft’s Digital Crimes
Unit (DCU) in targeting the Tehran-linked APT35 group, also known as
Charming Kitten and Phosphorous, according to VP of customer security
and trust, Tom Burt.
A court order allowed the unit to take control of 99 phishing domains
— including outlook-verify.net, yahoo-verify.net,
verification-live.com, and myaccount-services.net — which were used to
harvest victims’ credentials.
“The action we executed last week enabled us to take control of 99
websites and redirect traffic from infected devices to our Digital
Crimes Unit’s sinkhole. The intelligence we collect from this sinkhole
will be added to [Microsoft Threat Intelligence Center] MSTIC’s
existing knowledge of Phosphorus and shared with Microsoft security
products and services to improve detections and protections for our
customers,” explained Burt.
“Throughout the course of tracking Phosphorus, we’ve worked closely
with a number of other technology companies, including Yahoo, to share
threat information and jointly stop attacks.”
Burt thanked these other tech firms for their assistance, as well as
the domain companies that were required to transfer websites
registered by APT35 to Microsoft, under the court order.
While these efforts will certainly not put an end to the state-backed
group’s activities, it will help the white hats discomfort their
opponents a little whilst obtaining some valuable intelligence on
their activities.
The group has been detected in the past targeting businesses,
government agencies, activists and journalists with
information-stealing raids.
It’s a similar tactic used by Microsoft to disrupt the notorious
Russian APT28 (aka Strontium) group, which has been blamed for
info-stealing attacks on Democratic Party officials ahead of the 2016
US presidential election.
Burt claimed Microsoft had used the approach 15 times, controlling 91
spoofed websites registered by the Kremlin-backed group.
More information about the BreachExchange
mailing list