Microsoft: Iranian hacking group targeting attendees of major international security conferences

Microsoft: Iranian hacking group targeting attendees of major international security conferences

Microsoft on Wednesday reported that an Iranian hacking group had attempted to target high-ranking attendees of international security conferences, including the upcoming Munich Security Conference. 

Tom Burt, the corporate vice president of Customer Security and Trust at Microsoft, wrote in a blog post that the Iranian hacking group known as “Phosphorus” had “masqueraded” as conference organizers in order to target around 100 high profile individuals who are set to attend the Munich Security Conference or the Think 20 (T20) Summit in Saudi Arabia.

The hacking group sent phishing emails, written in English, inviting recipients to attend the conferences and giving details on travel logistics and potential remote sessions. According to Burt, the group was able to successfully compromise the accounts of “several victims,” including those belonging to former ambassadors and other foreign policy experts. 


“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” Burt wrote. “We’ve already worked with conference organizers who have warned and will continue to warn their attendees, and we’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events.”

The annual Munich Security Conference is due to take place over three days in February next year, while the T20 Summit will take place beginning later this week. 

While the schedule for next year’s Munich Security Conference has not yet been announced, 2020 participants included high-ranking leaders from all over the world, including French President Emmanuel MacronEmmanuel Jean-Michel MacronMacron urges US, EU to share vaccine doses Biden to champion alliances, democracy as he meets with foreign partners Overnight Defense: NATO expanding troops in Iraq MORE, Canadian Prime Minister Justin TrudeauJustin Pierre James TrudeauSunday shows - Trump's reemergence, COVID-19 vaccines and variants dominate Trudeau: Canadian, US border to remain closed 'for now' Sunday shows preview: 2024 hopefuls gather at CPAC; House passes coronavirus relief; vaccine effort continues MORE, Secretary of State Mike PompeoMike PompeoFive takeaways from CPAC 2021 Pompeo: Release of Khashoggi report by Biden admin 'reckless' Trump wins CPAC straw poll with 55 percent MORE and Speaker Nancy PelosiNancy PelosiTrump shows he holds stranglehold on GOP, media in CPAC barnburner Biden brings back bipartisan meetings at the White House McCarthy: 'I would bet my house' GOP takes back lower chamber in 2022 MORE (D-Calif.). 

Microsoft disclosed last year that the Phosphorus group, which the company believes is tied to the Iranian government, had targeted and attacked hundreds of Microsoft accounts, including accounts used by staffers of an unnamed presidential campaign. 

Reuters later reported that the campaign targeted was President TrumpDonald TrumpSacha Baron Cohen calls out 'danger of lies, hate and conspiracies' in Golden Globes speech Sorkin uses Abbie Hoffman quote to condemn Capitol violence: Democracy is 'something you do' Ex-Trump aide Pierson planning run for Congress MORE's reelection campaign, though a Trump campaign spokesperson told The Hill at the time that there was “no indication” that any campaign infrastructure was targeted. 


Burt emphasized Wednesday that the new activity was not “tied to the U.S. elections in any way.”

Microsoft warned in September that it was seeing a spike in nation-state cyber targeting of U.S. public policy groups and organizations involved in COVID-19 research. Burt pointed to this assessment Wednesday in urging groups to stay on guard against malicious cyber targeting.

“We will continue to use a combination of technology, operations, legal action and policy to disrupt and deter malicious activity, but nothing replaces vigilance from people who are likely targets of these operations,” Burt wrote.