Phosphorus Targets Munich Security Conference and T20 Summit Attendees
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spear Phishing
- Attack Complexity: Medium
- Threat Risk: Low Impact/High Probability
Threat Overview
The Iranian threat actor Phosphorus targeted potential attendees of the Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia through a series of cyberattacks. The attackers sent spoofed email invitations to former government officials, policy experts, academics, and leaders from non-governmental organizations. Their goal was intelligence collection, and they successfully compromised several high-profile individuals' accounts.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Munich Security Conference The Munich Security Conference is an annual conference on international security policy that has been held in Munich, Bavaria, Germany since 1963. Formerly named the Munich Conference on Security Policy, the motto is: Peace through Dialogue. It is the world's largest gathering of its kind. Munich Security Conference has been targeted by Phosphorus with abusive purposes. | Verified |
| Case | Think20 (T20) The Think 20 (T20) is an engagement group of the G20 that brings together think tanks from around the world to contribute policy recommendations and advice to the G20 summit. Think20 (T20) has been targeted by Phosphorus with abusive purposes. | Verified |
| Sector | Human Rights | Medium |
| Sector | Journalists | Medium |
| Sector | Pro-Democracy | High |
| Sector | Political | High |
| Region | Middle East Countries | High |
| Region | Saudi Arabia | Medium |
| Region | United States | Medium |
| Region | European Countries | High |
Extracted IOCs
- de-ma[.]online
- g20saudi.000webhostapp[.]com
- ksat20.000webhostapp[.]com
- munichconference1962@gmail[.]com
- munichconference@outlook[.]com
- munichconference@outlook[.]de
- t20saudiarabia@gmail[.]com
- t20saudiarabia@hotmail[.]com
- t20saudiarabia@outlook[.]sa
Tip: 9 related IOCs (0 IP, 3 domain, 0 URL, 6 email, 0 file hash) to this threat have been found.