On October 4, Microsoft reported that a group it calls Phosphorus made more than 2,700 attempts to identify email addresses of current and former U.S. officials, accounts associated with a U.S. presidential campaign and journalists covering political campaigns. Microsoft said it believed the group “originates from Iran and is linked to the Iranian government.” Phosphorus attacked 241 of the accounts between August and September. “Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials,” said Microsoft’s vice president of customer security and trust, Tom Burt, in a blog post.
Microsoft did not specify which campaign was targeted, but two people familiar with the attacks told The New York Times that it was the Trump campaign. Tim Murtaugh, the campaign’s communication director, however, said, “We have no indication that any of our campaign infrastructure was targeted.”
The information used, including phone numbers of customers, suggested that the attackers had invested significant time and resources researching their targets. “While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks,” Burt wrote.
The attack followed a cyber attack reportedly launched by the U.S. military against Iran in June 2019. In retaliation for Iran’s downing of a U.S. drone in the Persian Gulf, U.S. forces took down a system used by the Islamic Revolutionary Guard Corps to target oil tankers and shipping traffic. Reports of the latest Iranian effort came amid reports that the Trump administration was considering a cyber attack in retaliation for attacks on Saudi oil facilities in September, which Washington blamed on Tehran.
In May 2019, Facebook and Twitter disabled thousands of accounts that were part of a disinformation campaign thought to originate in Iran. Many of the accounts pushed negative messages about Saudi Arabia and Israel, the Islamic Republic’s regional rivals. Facebook removed 51 accounts, 36 pages, seven groups, and three Instagram accounts. The individuals behind the campaign impersonated journalists, legitimate news organizations and lied about where they were located. Two of the 2,800 disabled Twitter accounts mimicked Republican congressional candidates.