Analysts have uncovered an Iran-linked APT sending malicious emails to top Israeli government officials.
An advanced persistent threat (APT) group, with ties to Iran, is believed behind a phishing campaign targeting high-profile govt. & military Israeli personnel, according to a report by Check Point Software.
Targets of the campaign included senior leadership in the Israeli defence industry, the former US Ambassador to Israel & the former Deputy PM of Israel.
The object of the campaign, the researchers stated, was to obtain personal information from targets.
Fake Emails from Real Addresses
One of the targets, according to Check Point, is Tzipi Livni, Israel’s former Foreign Minister, Minister of Justice & Vice PM. Researchers believe that the target was selected because of the high-calibre list of contacts in her address book.
Recently she received an email from, according to the researchers, “a well-known former Major General in the IDF (Israeli Army) who served in a highly sensitive position.” The sender address was not spoofed – it was the same domain she had corresponded with before.
Message
Translated from Hebrew, the message read:
Hello, my dear friends, Please see attached article to summarize the year. ((*eyes only*)) Of course I do not want it to be distributed, because it is not the final version. I would be happy to receive remarks of any kind. Have a great rest of the day.
The message contained a link. Livni delayed in clicking the link, prompting several follow-up emails.
Good morning, I have not heard from you. Some friends sent me remarks. Your remarks are also very important to me. I know you are very busy. But I wanted to ask you to take your time & read the article. Good week
Compromised Account
The persistence of the sender & flurry of messages raised her suspicions, according to Check Point. After Livni met with the former Major General, it became clear that the emails were sent from a compromised account & the contents of the messages were part of a phishing attack.
It was similar for the other targets in this campaign – suspect emails were being sent from legitimate contacts.
What Really Happened
The method of attack was not particularly technical. “The most sophisticated part of the operation is the social engineering,” Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research, noted. He explained, the campaign was “a very targeted phishing chain that is specifically crafted for each target.” Personally crafted phishing emails is a technique called spear-phishing.
The attackers initiated their spear-phishing attacks, 1st by compromising an email address book belonging to a contact of their target.
Then, using the hijacked account, they would continue an already existing email chain between the contact & the target. In time, they would steer the conversation towards conning the target to clicking on or opening a malicious link or document.
Real Document
“Some of the emails include a link to a real document that is relevant to the target,” Check Point’s analysts noted. For example, an “invitation to a conference or research, phishing page of Yahoo, link to upload document scans.”
“The goal,” was “to steal their personal information, passport scans, & steal access to their mail accounts.”
Who & Why?
“We have solid evidence that it started at least from Dec. 2021,” Shykevich wrote, “but we assume that it started earlier.”
In the analysis, the researchers found evidence they believe points to the Iran-linked Phosphorus APT group (a.k.a. Charming Kitten, Ajax Security, NewsBeef, APT35). ‘Phosphorus’ is one of Iran’s most active APTs, with “a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.”
Assassinations
Iran & Israel are hardly friends, & these attacks came “in the midst of escalating tensions. With recent assassinations of Iranian officials (some allegedly by the Israeli’s Mossad), & thwarted attempts to kidnap Israeli citizens worldwide, we suspect that Phosphorous will continue with its ongoing efforts in the future.”