Iran-linked hackers tried to compromise presidential campaign, Microsoft says

The company said that it had seen "significant cyberactivity" from a group of hackers that it believes "originates from Iran and is linked to the Iranian government."

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Jason Abbruzzese and Ken Dilanian

A group of hackers believed to be linked to the government of Iran tried to access email accounts associated with a U.S. presidential campaign, Microsoft announced Friday.

The company said that it had seen "significant cyberactivity" from a group of hackers that it believes "originates from Iran and is linked to the Iranian government."

Microsoft said that its threat-tracking operation found the group attacked 241 email accounts associated with current and former U.S. government officials, journalists, prominent Iranians outside Iran and one U.S. presidential campaign. Microsoft did not name the campaign that was targeted.

The company said that the attack on the campaign was unsuccessful but that the hackers were able to access four accounts not associated with the campaign or the current and former government officials.

Download the NBC News app for breaking news and politics

Tom Burt, vice president of customer security and trust for Microsoft, wrote in a blog post that the Iran-linked group, which the company refers to by the name Phosphorous, gathered information about people in an attempt to trick them into falling for phishing schemes, in which the group attempted to use password reset or account recovery features to take over accounts.

"While the attacks we’re disclosing today were not technically sophisticated, they attempted to use a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks," Burt wrote. "This effort suggests Phosphorous is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering."

Chris Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, said CISA was working to determine the severity of the attack.

“CISA is aware of the report from Microsoft about Iranian actors targeting U.S. accounts and we are working with them to assess and mitigate impacts," Krebs said. "While much of this activity can likely be attributed to run-of-the-mill foreign intelligence service work, Microsoft’s claims that a presidential campaign was targeted is yet more evidence that our adversaries are looking to undermine our democratic institutions."

U.S. intelligence as well as independent cybersecurity experts have said that they expect a variety of hacking attempts aimed at aspects of the 2020 U.S. election, including campaigns and voting infrastructure.

While Russia remains a fixture of election security concerns, other nations have also emerged as legitimate threats. In January, then-Director of National Intelligence Dan Coats warned that numerous countries — including China and Iran — are poised to try to influence American politics and that they are expected to be honing their tactics and coming up with new exploits.

Among the most significant elements of efforts to interfere in the 2016 election can be traced back to a single email account break-in. Hillary Clinton campaign chairman John Podesta's personal email account was hacked, with many of his emails later released by Wikileaks.

Former special counsel Robert Mueller concluded in his report on Russia's 2016 election interference efforts that the emails were transmitted from a Russian-government proxy to a third party, which eventually gave them to Wikileaks.

Microsoft's announcement is not the first time that Iran's cyberactivity has come under scrutiny. In August 2018, Facebook said it removed a network of Iran-linked accounts that had pushed propaganda — a strategy that had distinct similarities to Russian propaganda efforts.

Theresa Payton, CEO of cybersecurity firm Fortalice Solutions and a former White House chief information officer, said recent U.S. sanctions had increased the likelihood of cyberattacks from Iran.

"We shouldn't be surprised that Phosphorus and other groups linked to Iran are ramping up their efforts," Payton said in an email. "Iran has been developing its cybercapabilities for more than a decade. Now that the U.S. has imposed sanctions against Iran and tensions are mounting in the region, they have nothing to lose."

While phishing attacks are not new, they remain among the most effective ways to penetrate secure systems. Their effectiveness also means they remain a common form of cyberattack.

Despite widespread agreement that foreign adversaries will attempt to influence the election, the U.S. government has been slow to approve the funding necessary to help local jurisdictions prepare for 2020. In September, Senate Majority Leader Mitch McConnell reversed course and announced support for an appropriations bill that would earmark $250 million for election security.

But the United States has also been reticent under President Donald Trump to join international efforts to address cybersecurity issues. The U.S. did not sign on to the Paris Call for Trust and Security in Cyberspace, which received support from more than 50 countries and 130 private companies and groups.

In the blog post, Burt urged "all governments, companies and advocacy groups" to consider joining the agreement, as well as the Cybersecurity Tech Accord, another public cybersecurity commitment signed by more than 100 companies.

"These are two important initiatives that aim to keep the internet safer from the types of malign activity we’re discussing today," he wrote.