SEATTLE — Microsoft took control of 99 websites that it said Iranian hackers had used to try to steal sensitive information from targets in the United States, according to court documents unsealed Wednesday.
By taking over the sites, Microsoft can stop future cyberattacks and monitor how previously infected computers were compromised, the company said.
The hackers “specifically directed” their attacks on people in Washington, Microsoft said in the filing. The hacking group typically has targeted the personal email accounts of people working in both the public and private sectors, including dissidents and workers in government agencies, Microsoft said in court documents.
People working in the Treasury Department and similar agencies in other Western governments were among those targeted, according to a person with knowledge of the attacks who spoke on the condition of anonymity.
The Treasury Department, which did not immediately respond to a request for comment, oversees economic sanctions against Iran.
Microsoft sued the hackers in the United States District Court in Washington and asked to gain control of the sites, saying the hackers had harmed its brand and the value of its trademarks by impersonating its products to trick victims. On March 15, Judge Amy Berman Jackson granted a temporary restraining order that let Microsoft take over the websites.
Microsoft said the hacking group, which it calls Phosphorus but is also known as APT 35 and Charming Kitten, had been linked to Iran. The group uses a technique known as spear phishing, sending email and social media links to victims while imitating the personas of people or institutions they may know. That either prompts the users to click on links that install malware that lets the hackers spy on the victims’ computers, or prompts the victims to enter their login credentials, which the hackers then later use to log in to official systems.
The Iranian hackers faked the look and language of several Microsoft products, including LinkedIn, OneDrive and Hotmail, Microsoft said in the documents.
By seizing the sites, Microsoft set up what is known as a “sinkhole,” which lets it monitor the traffic that otherwise would have been captured by the hackers.
“While we’ve used daily security analytics tracking to stop individual Phosphorus attacks and notify impacted customers, the action we executed last week enabled us to take control of websites that are core to its operations,” Tom Burt, a Microsoft security executive, said in a blog post.
Microsoft has used this legal and technical approach before, including for fighting the botnets that spit out spam email. It also used the approach against Fancy Bear, a hacking group widely considered to be affiliated with Russian intelligence, which Microsoft said had targeted think tanks and political groups in the United States and Europe.