Microsoft: Iran government-linked hacker targeted 2020 presidential campaign

Aamer Madhani and Savannah Behrmann, USA TODAY

A hacker linked to the Iran government made more than 2,700 attempts to target email addresses belonging to a 2020 U.S. presidential campaign, government officials, journalists and prominent Iranians living abroad, the tech giant Microsoft said Friday.

The company said that four email accounts were compromised by the group it calls “Phosphorous” but none of those compromised accounts were associated with a presidential campaign or current U.S. government officials.

“Microsoft has notified the customers related to these investigations and threats and has worked as requested with those whose accounts were compromised to secure them,” Tom Burt, Microsoft vice president for customer security and trust, wrote in a blog post.

A company spokesman declined to identify which campaign or individuals Phosphorous targeted, but Reuters and the New York Times reported Friday that the hack targeted President Donald Trump's reelection campaign.

President Donald Trump.
President Donald Trump.

Tim Murtaugh, a campaign spokesman for President Donald Trump’s reelection campaign, initially declined to comment on whether it was targeted in the newly-revealed Iran-linked attack. But Murtaugh later added that the campaign has "no indication that any of our campaign infrastructure was targeted."

The targeted attacks come while anxiety about Russian interference in the 2016 election has not receded.

In March 2016, two cyber units of the Russian military agency called "GRU" sent hundreds of spear-phishing emails to email addresses associated with former Secretary of State Hillary Clinton's presidential campaign and the Democratic National Committee. The spear-phishing campaign allowed them to gain access to John Podesta's email accounts. Podesta was Clinton's campaign chairman.

The group WikiLeaks release more than 20,000 emails and other documents stolen from the hacks, three days before the Democratic National Convention. WikiLeaks then released more than 50,000 documents stolen from Podesta's personal email account in the month leading up to Election Day 2016.

Campaign officials with former Vice President Joe Biden, Sen. Bernie Sanders and author Marianne Williamson declined to comment, citing policies of not discussing security matters.

Ian Sams, a spokesman for the campaign of Democratic White House hopeful Kamala Harris, said the campaign has received "no indication that our campaign is the one Microsoft referenced or that we have been targeted by this attack.

"But we have taken appropriate steps since the beginning of our campaign to protect ourselves against hacking attempts and will continue to do so," Sams added.

Montana Gov. Steve Bullock's and former Rep. Joe Sestak's campaigns confirmed they were not targeted. Dennis Willard with Rep. Tim Ryan's presidential campaign said they "have no reason to believe that we were hacked."

Officials for the campaigns of Elizabeth Warren, South Bend, Indiana, Mayor Pete Buttigieg, as well as 9 low-polling Democratic candidates did not respond to requests for comment.

Microsoft says Phosphorous used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over targeted accounts.

“For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account,” Burt said. “In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets.”

Microsoft said it decided to publicize the hack, which it described as "not technically sophisticated," because it felt it's increasingly important for the government and private sector to be transparent about nation-state attacks and attempts to disrupt democratic processes.

The company added that publishing the information would also help other organization’s associated with election processes to be more vigilant.

Iran’s is lesser known among U.S. adversaries for its cyberattack capabilities. Tehran’s most notable suspected cyberattacks targeted Israel, Turkey, the United Kingdom, and U.S. in 2010 following a collaborative attack against Iran’s nuclear program by the U.S. and Israel.

“This series of attacks is notable for their lack of sophistication. The attackers didn’t try to crack passwords or engage in phishing attacks,” said Mike Chapple, associate teaching professor of IT, analytics, and operations at the University of Notre Dame, “Instead, they took advantage of Microsoft’s password recovery mechanisms, attempting to take over the secondary email accounts and phone numbers used to reset forgotten passwords.”

This article originally appeared on USA TODAY: Election 2020: Campaign, government officials targeted by Iran hackers