Microsoft: Seizure of sites Iranian hackers used for attacks

Microsoft said the hacking group operations show “skill, patience and access to resources.” (AFP/File)
Updated 28 March 2019

Microsoft: Seizure of sites Iranian hackers used for attacks

  • The group has many names, like Phosphorus, APT35 and Charming Kitten
  • They used malicious software disguised as trustworthy websites to access personal information of users

Microsoft said it seized 99 websites used by Iranian hackers to steal sensitive information and launch other cyberattacks.
The company said the group, which it has been tracking since 2013, has tried to snoop on activists, journalists, political dissidents, defense industry workers and others in the Middle East, including some who were “protesting oppressive regimes” in the region.
Hackers did so by tricking people in those organizations to click on malicious links disguised to resemble well-known brands, including Microsoft and its LinkedIn, Outlook and Windows products, Microsoft said in court filings.
Wednesday’s announcement tied the hackers to the country of Iran but not specifically to its government. A spokesman for Iran’s mission to the United Nations didn’t respond to an email and phone call seeking comment Wednesday. Iran has denied involvement in other hacking efforts identified by Microsoft.
Microsoft calls the hacking group Phosphorus, while others call it APT35 or Charming Kitten.
Allison Wikoff, a security researcher at Atlanta-based Secureworks, said it is one of the “more active Iranian threat groups” she has observed. She said Microsoft’s takedown was a big win using a practice known as “sinkholing,” which involves taking over adversary domains and analyzing their traffic to protect against future attacks.
Microsoft sued the hacking group in US District Court in Washington this month and described a hacking operation that “demonstrates skill, patience and access to resources.”
The hackers’ malicious software, according to the lawsuit, “effectively morphs the trusted, Microsoft-trademarked Windows system into a tool of deception and theft.”
Microsoft said the group typically tries to infiltrate a target’s personal accounts, not their work accounts, by luring them into clicking on a link to a compromised website or opening a malicious attachment.
Hackers, the company said, used fake domain names that resembled Microsoft and other well-known brands. They also created fake social media profiles to target people. Microsoft said hackers were damaging the company by breaking into its customers’ online accounts and computer networks.
US District Judge Amy Berman Jackson sided with the company in a March 15 ruling, arguing that there was good cause to believe the hacking activity was harming the company, its customers and the public. The documents were unsealed Wednesday.
Microsoft has taken hacking groups to court before. The Redmond, Washington, company used a similar strategy in 2016 to seize fake domains created by Russia-backed hackers who were later found to have been meddling in the US presidential election.


US media questions Bezos hacking claims

Updated 25 January 2020

US media questions Bezos hacking claims

  • Experts said while hack “likely” occurred, investigation leaves too many “unanswered questions”
  • Specialists on Thursday said evidence was not strong enough to confirm

LONDON: An investigation into claims that the phone of Amazon CEO Jeff Bezos was hacked has been called into question by cybersecurity experts and several major US media outlets, including the Wall Street Journal, New York Times and the Associated Press (AP).

Specialists on Thursday said evidence from the privately commissioned probe by FTI Consulting is not strong enough for a definitive conclusion, nor does it confirm with certainty that his phone was actually compromised.

The Wall Street Journal reported, late on Friday: “Manhattan federal prosecutors have evidence indicating Jeff Bezos’ girlfriend provided text messages to her brother that he then sold to the National Enquirer for its article about the Amazon.com Inc. founder’s affair, according to people familiar with the matter.”

Experts said while a hack “likely” occurred, the investigation leaves too many “unanswered questions,” including how a hack happened or which spyware program was used, the Associated Press (AP) reported.

Steve Morgan, founder and editor-in-chief of New York-based Cybersecurity Ventures, said the probe makes “reasonable assumptions and speculations,” but does not claim 100 percent certainty or proof.

UK-based cybersecurity consultant Robert Pritchard said: “In some ways, the investigation is very incomplete … The conclusions they’ve drawn, I don’t think, are supported by the evidence. They veered off into conjecture.”

Alex Stamos, former chief security officer at Facebook, wrote that the FTI probe is filled with “circumstantial evidence but no smoking gun.”

Matt Suiche, a Dubai-based French entrepreneur and founder of cybersecurity firm Comae Technologies, told AP that the malicious file is presumably still on the hacked phone because the investigation shows a screenshot of it.

If the file had been deleted, he said the probe should have stated this or explained why it was not possible to retrieve it. “They’re not doing that. It shows poor quality of the investigation,” Suiche added.

Reports on Wednesday suggested that Saudi Arabia was involved in the phone of Bezos being hacked after he received a WhatsApp message sent from the personal account of Crown Prince Mohammed bin Salman.

The Saudi Embassy in the US denied the allegations, describing them as “absurd.” Saudi Foreign Minister Prince Faisal bin Farhan called the accusations “purely conjecture” and “absolutely silly,” saying if there was real evidence the Kingdom looked forward to seeing it.

A Wall Street Journal report quoted forensics specialists as saying the FTI investigation’s claims that Saudi Arabia was behind any possible hacking of the phone “appeared to forgo investigatory steps.”

CNN reported that critics of the probe highlighted a “lack of sophistication” in it, quoting Sarah Edwards, an instructor at the SANS Institute, as saying: “It does seem like (FTI) gave it a good try, but it seems they’re just not as knowledgeable in the mobile forensics realm as they could have been.”

The New York Times said the probe tried to find links between the possible hacking of the phone and an article in the National Enquirer about the Amazon CEO’s extramarital affair with Lauren Sanchez, but any link remains “elusive.”

National Enquirer owner American Media said in a statement regarding the source of the leak on Sanchez’s involvement with Bezos: “The single source of our reporting has been well documented, in September 2018 Michael Sanchez began providing all materials and information to our reporters. Any suggestion that a third party was involved in or in any way influenced our reporting is false.”