Microsoft has detected and worked to stop a series of cyber-attacks from hackers masquerading as conference organisers to target more than 100 high-profile individuals, including former ambassadors and other senior policy experts, for intelligence collection purposes. Phosphorus, an Iranian threat actor, targeted potential attendees of the upcoming Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia.
The Munich Security Conference is the most important gathering on the topic of security for heads of state and other world leaders, and it has been held annually for nearly 60 years. Likewise, T20 is a highly visible event that shapes policy ideas for the G20 nations and informs their critical discussions.
"Based on current analysis, we do not believe this activity is tied to the US elections in any way," said Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft.
The attackers have been sending possible attendees spoofed invitations by email. The emails use near-perfect English and were sent to former government officials, policy experts, academics and leaders from non-governmental organisations.
"Phosphorus helped assuage fears of travel during the Covid-19 pandemic by offering remote sessions," Burt said in a statement on Friday.
"We believe Phosphorus is engaging in these attacks for intelligence collection purposes. The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries," he elaborated.
This activity was uncovered by Microsoft's Threat Intelligence Center, or MSTIC, which tracks the world's nation-state and cybercrime actors. "We've already worked with conference organizers who have warned and will continue to warn their attendees, and we're disclosing what we've seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events," Microsoft said.
The nation-state cyber attackers routinely pursue think tanks, policy organisations and governmental and non-governmental organisations, seeking information that an attacker can use for their benefit.
"We will continue to use a combination of technology, operations, legal action and policy to disrupt and deter malicious activity, but nothing replaces vigilance from people who are likely targets of these operations," Burt advised.
As always, enabling multi-factor authentication across both business and personal email accounts will successfully thwart most credential harvesting attacks like these, Microsoft said.