Munich Security Conference attendees targeted with Iran-linked spearphishing, Microsoft says

Double check that high-profile "invite" in your inbox.
Munich Security Conference
NATO Secretary General Jens Stoltenberg addresses the Munich Security Conference in 2015. (NATO / Flickr)

Iranian government-linked hackers have been sending spearphishing emails to large swaths of high-profile potential attendees of the upcoming Munich Security Conference as well as the Think 20 Summit in Saudi Arabia, according to Microsoft research.

The Iranian attackers, known as Phosphorous, have disguised themselves as conference organizers and have sent fake invitations containing PDF documents with malicious links to over 100 possible invitees of the conferences, both of which are prominent summits dedicated to international security and policies of the world’s largest economies, respectively.

In some cases the attackers have been successful in guiding some victims to those links, which lead victims to credential-harvesting pages, Tom Burt, corporate vice president of Microsoft Security and Trust announced in a blog published Wednesday morning.

“We believe Phosphorus is engaging in these attacks for intelligence collection purposes,” Burt wrote in the blog. “The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries.”


It’s the kind of attack that can give the government-linked hackers access to the inboxes of high-profile former government officials, policy experts, academics, and NGO leaders, Burt said.

Microsoft did not say what information, if any, the attackers successful stole from victims.

It was just the latest example of Phosphorous targeting non-governmental entities — the group has been known to target journalists and researchers who focus on Iran in the past, for instance.

The hackers typically also go after entities in the military, energy, business services, and telecommunications sectors throughout the U.S. and the Middle East, according to previous FireEye research. The Iranian government-linked hackers tend to conduct long-term strategic intelligence gathering, according to FireEye.

Although Microsoft is releasing the information on the threat to Munich Security Conference attendees in close proximity to the U.S. presidential elections, Microsoft researchers do not believe this specific campaign is linked with the election.


But the same hackers behind this operation, also known as APT35 or Charming Kitten, have targeted associates of President Donald Trump’s reelection campaign before, according to previous Microsoft and Google research. In recent months the hackers have targeted the Trump campaign, according to research Microsoft published last month and Google research published in June. The same group was targeting journalists and the email accounts of people associated with the Trump campaign one year ago as well.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts