The Microsoft Digital Crimes Unit (DCU) has disrupted a spear-phishing operation linked to an Iranian threat actor tracked as Bohrium that targeted customers in the U.S., Middle East, and India.
Bohrium has targeted organizations from a wide range of industry sectors, including tech, transportation, government, and education, according to Amy Hogan-Burney, the General Manager of Microsoft DCU.
Microsoft has taken down 41 domains used in this campaign to establish a command and control infrastructure that enabled the attackers to deploy malicious tools designed to help them gain access to targets' devices and exfiltrate stolen information from compromised systems.
According to evidence provided by Microsoft in court filings [
PDF], the Iranian hackers have been "intentionally accessing and sending malicious software, code, and instructions to the protected computers, operating systems, and computers networks of Microsoft and the customers of Microsoft, without authorization [..]."
While Microsoft did not reveal the timeline of this spear-phishing operation, some of the dozens of domains taken down have been used to host and push malware payloads
as far back as 2017.
"Bohrium actors create fake social media profiles, often posing as recruiters. Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware," Hogan-Burney
said.
"This activity was uncovered by Microsoft's Threat Intelligence Center (MSTIC), which tracks the world's nation-state and cybercrime actors so we can better protect our customers."
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}