Last week Microsoft’s Digital Crimes Unit (DCU) disclosed that it had taken legal proceedings against an Iranian threat actor dubbed Bohrium, linked with a spear-phishing operation.
Bohrium is said to have targeted multiple entities in the U.S., India and the Middle East, including across transportation, tech, education, and government sectors.
In a Tweet Amy Hogan-Burney of the DCU said, “Bohrium actors create fake social media profiles, often posing as recruiters… Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target’s computers with malware.”
Microsoft have shared an ex parte order showing that the goal of the attacks was to exfiltrate and steal sensitive information, carry out remote reconnaissance, and take control over the infected machines.
To stop the activities of Bohrium, Microsoft disclosed that they took down 41 “.com,” “.info,” “.me,” “.net,” “.org,” and “.xyz” domains that were used as command-and-control infrastructure to facilitate the campaign.
The tech giant previously revealed that it had identified and disabled malicious OneDrive activity. The activity is thought to have been perpetrated by a previously undocumented threat actor named Polonium since February 2022.
In these attacks, OneDrive was used as command-and-control in part of a larger spate of attacks the hacking group launched against over 20 organisations based in Lebanon and Israel.