Microsoft is claiming its attempts at disrupting a well-known Iranian state-sponsored APT group have had a “significant impact.”
Unsealed court documents reveal the work of Microsoft’s Digital Crimes Unit (DCU) in targeting the Tehran-linked APT35 group, also known as Charming Kitten and Phosphorous, according to VP of customer security and trust, Tom Burt.
A court order allowed the unit to take control of 99 phishing domains — including outlook-verify.net, yahoo-verify.net, verification-live.com, and myaccount-services.net — which were used to harvest victims’ credentials.
“The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crimes Unit’s sinkhole. The intelligence we collect from this sinkhole will be added to [Microsoft Threat Intelligence Center] MSTIC’s existing knowledge of Phosphorus and shared with Microsoft security products and services to improve detections and protections for our customers,” explained Burt.
“Throughout the course of tracking Phosphorus, we’ve worked closely with a number of other technology companies, including Yahoo, to share threat information and jointly stop attacks.”
Burt thanked these other tech firms for their assistance, as well as the domain companies that were required to transfer websites registered by APT35 to Microsoft, under the court order.
While these efforts will certainly not put an end to the state-backed group’s activities, it will help the white hats discomfort their opponents a little whilst obtaining some valuable intelligence on their activities.
The group has been detected in the past targeting businesses, government agencies, activists and journalists with information-stealing raids.
It’s a similar tactic used by Microsoft to disrupt the notorious Russian APT28 (aka Strontium) group, which has been blamed for info-stealing attacks on Democratic Party officials ahead of the 2016 US presidential election.
Burt claimed Microsoft had used the approach 15 times, controlling 91 spoofed websites registered by the Kremlin-backed group.