Security researchers have uncovered a major new state-backed spear-phishing operation targeting several senior Israeli and US officials.
Check Point traced the campaign to Iranian group Phosphorus APT.
Dating to at least December 2021, it targeted Israel’s former foreign minister and deputy prime minister Tzipi Livni; a former major general in the Israel Defense Forces (IDF); and a former US ambassador to Israel.
Other targets included a senior executive in Israel’s defense industry and the chairman of one of the country’s leading security think tanks, according to the report.
The methodology is quite simple. The attacker compromises the inbox of a frequent contact of the target, then hijacks an existing conversation between the two. They then open a new spoofed email address pretending to be the same contact, with a format that looks like joe.doe.corp[@]gmail.com.
The attacker then tries to continue the conversation using this new e-mail address, exchanging several messages. Check Point added that real documents are sometimes used as part of the exchange to add legitimacy and relevance to the scam.
In one instance, Livni was contacted by the “retired major general” via her real email address and repeatedly asked to click on a link in the message and use her password to open the linked file. . When she met him at a later date, he confirmed that he never sent the email.
“We exposed Iranian phishing infrastructure that targets Israeli and American public sector executives, with the aim of stealing their personal information, scanning their passports and stealing access to their email accounts,” Sergey explained. Shykevich, head of Check Point’s threat intelligence group.
“The most sophisticated part of the operation is the social engineering. Attackers use real hijacked email chains, impersonation of well-known contacts of the targets, and specific decoys for each target. The operation implements a highly targeted phishing chain, specially designed for each target. Additionally, the nation-state attacker’s aggressive email engagement with targets is rarely seen in nation-state cyberattacks.
In 2019, Microsoft claimed to have had a “significant impact” in its efforts to disrupt the Phosphorous Group – also known as APT35 and Charming Kitten – after a court order allowed it to take control of 99 domains. phishing devices used by the group.
The latest revelations prove how difficult it is to stop a determined state-funded adversary.