Microsoft said Wednesday that it obtained a court order last week to seize and shut down websites used by Iranian hackers.
Tom Burt, Microsoft’s vice president for customer security and trust, said in a blog post that the company had sued the hacking group — which goes by Phosphorus, APT 35 and Charming Kitten — over its targeting of Microsoft users.
The hackers have been known to target businesses, government agencies, activists and journalists “especially those involved in advocacy and reporting on issues related to the Middle East,” Burt wrote.
{mosads}He added that the group uses spear-phishing attacks on its targets, tricking users into clicking a link that then distributes malware and gives hackers access to the user’s systems and networks. The same technique was used in the 2016 hack of John Podesta, then the chairman of Democratic nominee Hillary Clinton’s presidential campaign.
The Iranian hackers also created fake websites that appear to belong to brands like Microsoft to trick users into providing their login information, according to Burt.
“While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations,” he wrote. “Our work to track Phosphorus over multiple years and observe its activity enabled us to build a decisive legal case and execute last week’s action with confidence we could have significant impact on the group’s infrastructure.”
A court filing unsealed on Wednesday shows Microsoft sued the unnamed hackers for targeting “victims who are using Microsoft email services and has intruded into those accounts to steal information of Microsoft’s users.”
“Phosphorus’s use of Microsoft trademarks is meant to confuse victims into clicking on links controlled by the Phosphorus defendants,” the complaint states. “When the user clicks on the links, they are taken to deceptive web pages that induce the victim to type in their Microsoft credentials, at which point the Phosphorus defendants obtain access to those credentials.”