SPY OPS: How Israeli And US Top Officials Were Targeted In Iranian Spear-Phishing Operation

NEW DELHI: Check Point Research (CPR) has discovered an Iranian spear-phishing operation aimed at high-level Israeli and US officials.

The attackers compromised the emails of senior Israeli officials and then used them to target other high-level officials in order to obtain personal information. Former Israeli Foreign Minister Tzipi Livni, former US Ambassador to Israel, former Major General of the IDF, and three others have been targeted.

Furthermore, the attackers hijacked current email exchanges and swapped emails to new ones while pretending to be someone else in order to fool their targets into interacting with them. CPR believes the operation’s purpose is to steal personal information, passport scans, and email accounts.

CPR’s discoveries come at a time of escalating tensions between Israel and Iran, with Iran previously attempting to attract Israeli targets via email.

ALSO READ: Cyber Attack On India Widens, Around 200 Govt, Private Domains Targeted

Check Point Research (CPR) has discovered an Iranian spear-phishing operation aimed at high-level Israeli and US executives. As part of their operations, the attackers take over the executives’ current accounts and create bogus impersonating accounts to entice their targets into lengthy email chats. CPR believes the operation’s purpose is to steal personal information, passport scans, and email account access. According to CPR, the operation will last until at least December 2021, but it is likely to end sooner.

CPR believes that the threat actors behind the operation are an Iranian-backed entity. Evidence points to a possible connection of the operation to the Iran-attributed Phosphorus APT group. The group has a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.

ALSO READ: Maharashtra Cyber Cops Nab Five Lending App Agents For Harassing Client

“We have exposed Iranian phishing infrastructure that targets Israeli and US public sector executives, with the goal to steal their personal information, passport scans, and steal access to their mail accounts. We have solid evidence that it started at least from December 2021 ; but we assume that it started earlier,” said Manish Alshi, Head of Channels and Growth Technologies – India & SAARC, Check Point Software Technologies.

Alshi highlighted that the most sophisticated part of the operation is the social engineering. The attackers use real hijacked email chains, impersonations to well-known contacts of the targets and specific lures for each target. The operation implements a very targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks.

High profile targets include:

• Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel
• Former Major General who served in a highly sensitive position in the IDF
• Chair of one of Israel’s leading security think tanks
• Former US Ambassador to Israel
• Former Chair of a well known Middle East research center
• Senior executive in the Israeli defense industry   

Attack Methodology

1. The attacker takes over a real e-mail account of a frequent contact of the target
2. The attacker proceeds to hijack an existing email conversation
3. The attackers then open a fake email to impersonate the contact of the target, mostly in the format of joe.doe.corp@gmail.com.
4. The attackers continue the hijacked conversation from the fake email and exchanges at least several emails with the target
5. Some of the emails include a link to a real document that is relevant to the target. e.g, invitation to a conference or research/phishing page of Yahoo/ link to upload document scans.

Follow The420.in on

 Telegram | Facebook | Twitter | LinkedIn | Instagram | YouTube