June 25, 2020
The Microsoft Threat Protection Intelligence Team has identified a chain of attacks on its cloud service in a post published on June 18.
According to Microsoft the group identified as HOLMIUM” has been performing espionage and destructive attacks targeting aerospace, defense, chemical, mining, and petrochemical-mining industries.
Based on previous research by the Fireye the group has been linked to Iran and the Iranian Cyber Army.
The attack consisted of sophisticated phishing emails giving the target an impression that the message was legitimate. A well crafted Outlook Home Page that looked realistic was also part of the ploy to gain access. In combination with using the technique of password spraying, in which the attackers attempt to gain access to large number of accounts by using regularly used passwords the hackers were able to enter accounts.
After gaining access to the victims accounts they were able to explore information and in some cases even control the victims computer and other computers on the same network. Microsoft noted that the attackers were determined “to stay persistent for long periods of time, sometimes for months on end.”
In October 2019 Microsoft identified Iranian attempts to target U.S. presidential campaigns by a group going by the name of Phosphorus.