Microsoft said Friday that it believed that hackers linked to the Iranian government have recently targeted a US presidential campaign, as well as government officials, media targets and prominent expatriate Iranians.
Overall, the hackers attempted to penetrate 241 accounts — four successfully — though none of those penetrated was associated with presidential campaigns or current or past US officials, Microsoft said. A company spokeswoman declined to identify those targeted, citing customer privacy.
Reuters and The New York Times reported that the attacks targeted US President Donald Trump’s reelection campaign, but this could not be independently confirmed.
A review of publicly available internet records by AP showed that the Trump campaign’s official website is linked to Microsoft’s email service.
The campaign website is the only major candidate’s site connected to Microsoft’s cloud email service, and his campaign has spent tens of thousands of dollars on the company’s products, Reuters said.
The New York Times report saying Trump was targeted cited two people with knowledge of the attacks who were not allowed to discuss them publicly, and said it wasn’t clear if the campaign had been compromised in any way.
Tim Murtaugh, spokesman for Trump’s 2020 reelection campaign, said there was “no indication that any of our campaign infrastructure was targeted.”
Microsoft’s announcement is the latest sign that foreign governments are looking for ways to potentially disrupt the 2020 presidential election. US intelligence officials have sounded the alarm about the risks for months.
Russia’s hacking of the Democratic National Committee and the Clinton campaign, as well as the subsequent leaks of emails during the 2016 election roiled the Democratic National Committee, hurt the Clinton campaign and was a focal point in special counsel Robert Mueller’s probe.
Foreign hackers have long targeted the US government and politicians, generally with little notice. But the disruption caused by Russia’s attack has heightened awareness and prompted fears that other nations will try to follow Russia’s example. Tehran in particular could have a stake in the outcome of the US election after Trump withdrew from the 2015 nuclear agreement with Iran and stepped up sanctions against the country.
“The Russians came after us and our election system in 2016 and they paid virtually no price for that activity,” said Jamil N. Jaffer, director of the national security law and policy program at George Mason University, and former chief counsel of the Senate Foreign Relations Committee. “It’s not surprising that China now more aggressively and maybe the Iranians are getting in that game. Why not?”
The US Department of Homeland Security said it was working with Microsoft to “assess and mitigate impacts.” Chris Krebs, director of the department’s Cybersecurity and Infrastructure Security Agency, said much of the activity is likely “run-of-the-mill” foreign intelligence service work.
But, “Microsoft’s claims that a presidential campaign was targeted is yet more evidence that our adversaries are looking to undermine our democratic institutions,” Krebs said.
In a blogpost released Friday, Microsoft’s Tom Burt, corporate vice president for customer security and trust, said that owners of four accounts that were compromised by the hackers have been notified. The company would not identify those accounts.
The attacks by a group Microsoft calls Phosphorous occurred during a 30-day period between August and September.
Burt said the Iranian hackers used password reset and account recovery features to try to take over accounts. For example, they gathered phone numbers belonging to targets to help with a password reset. In other cases, they tried to get into secondary email accounts that might be linked to the Microsoft account to gain access via a verification email.
The hackers researched their targets, making more than 2,700 attempts to identify emails belonging to a specific Microsoft customer. A spokeswoman declined to provide more details.
In July, Microsoft announced that it had detected more than 740 infiltration attempts by nation-state actors in the past year targeting US-based political parties, campaigns and other democracy-focused organizations including think tanks and other nonprofits.
The company declined to name or further characterize the targets or the actors. It said at the time that such targeting had similarly occurred in the early stages of the 2016 and 2018 elections.
The Iranian cyber offensive is the latest chapter in the US and Iran’s ongoing cyber warfare.
In June, cybersecurity firms said Iran has increased its offensive cyberattacks against the US government and critical infrastructure as tensions have grown between the two nations.
Hackers believed to be working for the Iranian government have targeted US government agencies, as well as sectors of the economy, including oil and gas, sending waves of spear-phishing emails, according to representatives of cybersecurity companies CrowdStrike and FireEye, which regularly track such activity.
Iran has long targeted the US oil and gas sectors and other critical infrastructure, but those efforts dropped significantly after the nuclear agreement was signed in 2015. After Trump withdrew the US from the deal in May 2018, cyber experts said they have seen an increase in Iranian hacking efforts.
The US has had a contentious cyber history with Iran.
In 2010, the so-called Stuxnet virus disrupted the operation of thousands of centrifuges at a uranium enrichment facility in Iran. Iran accused the US and Israel of trying to undermine its nuclear program through covert operations.
Iran has also shown a willingness to conduct destructive campaigns. Iranian hackers in 2012 launched an attack against state-owned oil company Saudi Aramco, releasing a virus that erased data on 30,000 computers and left an image of a burning American flag on screens.
In 2016, the US indicted Iranian hackers for a series of punishing cyberattacks on US banks and a small dam outside of New York City.
Tensions have risen in the Persian Gulf since May last year when Trump unilaterally abandoned the nuclear deal between major powers and Iran and began reimposing crippling sanctions in a campaign of “maximum pressure.”
They flared again this May when Iran began reducing its own commitments under the deal and the US deployed military assets to the region.
Since then, ships have been attacked, drones downed and oil tankers seized. This month, twin attacks on Saudi oil infrastructure, which knocked out half the kingdom’s production, drew accusations of blame from Washington and Europe.
Tehran has denied any involvement in the attacks which were claimed by Iran-backed rebels fighting a Saudi-led coalition in Yemen.
The Times of Israel covers one of the most complicated, and contentious, parts of the world. Determined to keep readers fully informed and enable them to form and flesh out their own opinions, The Times of Israel has gradually established itself as the leading source of independent and fair-minded journalism on Israel, the region and the Jewish world.
We've achieved this by investing ever-greater resources in our journalism while keeping all of the content on our site free.
Unlike many other news sites, we have not put up a paywall. But we would like to invite readers who can afford to do so, and for whom The Times of Israel has become important, to help support our journalism by joining The Times of Israel Community. Join now and for as little as $6 a month you can both help ensure our ongoing investment in quality journalism, and enjoy special status and benefits as a Times of Israel Community member.