The United States District Court for the Eastern District of Virginia noted that there are sufficient grounds to believe the cybercriminal group violated the Computer Fraud and Abuse Act (CFAA) and other digital crime laws by orchestrating attacks on Microsoft and its customers. Bohrium targeted Microsoft users in India, the Middle East, and the U.S. in a sophisticated spear-phishing campaign, Hogan-Burney said. A court hearing is scheduled for Friday, June 10.
Spear Phishing Campaign Affected Multiple Sectors
Microsoft’s Threat Intelligence Center (MSTIC), which monitors state-sponsored advanced persistent threats (APT), detected Bohrium’s activities. The cybercriminal group employed “deceptive and fraudulent methods” to orchestrate data theft, infect computer systems, gain unauthorized system access, and conduct espionage. Bohrium hackers created “fake social media profiles, often posing as recruiters” to get information and send malicious phishing emails to Microsoft users, Hogan-Burney said. The group targeted people from different sectors, including tech, transportation, government, and education. The court filing notes that Bohrium conducted its far-reaching spear-phishing campaign by leveraging several domains and domain registration facilities. Bohrium used .info, .com, .live, .me, .net, .xyz, and .org domains to host malicious content from its command-and-control server (C2). C2 servers are web servers used by cybercriminals to host malware like FluBot and coordinate their nefarious schemes. According to the court filings, to “halt [further] injury caused by [Bohrium],” and for the public good and the safety of Microsoft and its customers, the domains must be terminated. The filing contains 41 fake domains disguised to look legitimate, such as “bluecake.xyz,” “supportskype.com,” “healthcaretip.info,” and “outlookde.live.”
Bohrium is Still Active
It is unclear why the threat actor has been named “Bohrium” — a synthetic radioactive chemical element. Meanwhile, there is no indication that Bohrium’s operations have stopped. The court filings are deemed “ex parte,” — meaning that legal actions had to be processed against Bohrium (the Defendant) without its presence because there is irrefutable evidence of a crime that must be stopped. “Microsoft has made a clear showing that if such conduct continues, irreparable harm will occur to Microsoft, Microsoft’s customers, and the public and that the Defendants will continue to engage in such unlawful actions if not immediately restrained from doing so by Order of this Court,” the court stated. In March, cybersecurity and intelligence agencies from the US, the UK, and Australia sounded a warning that Iran-based threat actors are targeting entities and individuals in key sectors like transportation and healthcare. At the time, Microsoft highlighted instances of different Iran-based cybercriminal groups conducting spear-phishing campaigns between 2020 and 2021. Phishing attacks are the sneakiest type of cyberattack and can net cybercriminals large profits when stolen credentials are sold on the dark web. Whether you are a Microsoft customer or not, we recommend you read our extensive guide to phishing to arm yourself with knowledge about socially engineered threats that could potentially affect you.
