Serviceteam IT Security News

Microsoft is claiming its attempts at disrupting a well-known Iranian state-sponsored APT group have had a “significant impact.”

Unsealed court documents reveal the work of Microsoft’s Digital Crimes Unit (DCU) in targeting the Tehran-linked APT35 group, also known as Charming Kitten and Phosphorous, according to VP of customer security and trust, Tom Burt.

A court order allowed the unit to take control of 99 phishing domains — including outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net — which were used to harvest victims’ credentials.

“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crimes Unit’s sinkhole. The intelligence we collect from this sinkhole will be added to [Microsoft Threat Intelligence Center] MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers,” explained Burt.

“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks.”

Burt thanked these other tech firms for their assistance, as well as the domain companies that were required to transfer websites registered by APT35 to Microsoft, under the court order.

While these efforts will certainly not put an end to the state-backed group’s activities, it will help the white hats discomfort their opponents a little whilst obtaining some valuable intelligence on their activities.

The group has been detected in the past targeting businesses, government agencies, activists and journalists with information-stealing raids.

It’s a similar tactic used by Microsoft to disrupt the notorious Russian APT28 (aka Strontium) group, which has been blamed for info-stealing attacks on Democratic Party officials ahead of the 2016 US presidential election.

Burt claimed Microsoft had used the approach 15 times, controlling 91 spoofed websites registered by the Kremlin-backed group.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!