Microsoft has recently announced that it had taken control of 99 domains used by an Iran-linked APT group tracked by the tech giant as Phosphorus (aka APT35, Charming Kitten,
“Today, court documents were unsealed detailing work Microsoft’s Digital Crimes Unit has executed to disrupt
The Newscaster group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Microsoft has been tracking the threat actors at least since 2013, but experts believe that the
Microsoft took control of the domains used by Phosphorus after filing a legal complaint in the U.S. District Court for Washington D.C. against two John Does that are allegedly behind the group’s operations.
“Plaintiff Microsoft Corporation (“Microsoft”) has sued Defendants John Does 1-2 associated with the Internet domains listed below.” reads the notice of pleadings. “Microsoft alleges that Defendants have violated Federal and state law by hosting a
The court order obtained by Microsoft authorized the company to seize the domains and redirect traffic from compromised devices to a sinkhole.
The domains attempt to mimic legitimate services belonging to Microsoft and other legitimate online services, such as LinkedIn and Yahoo. The list of seized domains includes verification-live.com, outlook-verify.net, myaccount-services.net, verify-linkedin.net, and yahoo-verify.net.
The threat actors used the websites to serve malware to the victims, they also sent out emails alerting recipients of a security risk in order to trick them into handing over their account credentials.
“While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations,” continues Microsoft. “Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure.”
The case against Phosphorus APT is similar to cases Microsoft filed against the Strontium APT group. The company confirmed to have used this approach 15 times to take control of 91 fake websites associated with Russia-linked Strontium group.
Microsoft revealed last month that the Russia-linked APT28 group targeted 104 accounts belonging to the employees of democratic organizations in various European countries.