Alleged Iranian hackers targeted the email accounts of former Israeli and American government officials, according to research published by the Israeli cybersecurity firm Check Point Software Technologies Ltd.
Attackers targeted accounts by using standard hacking techniques such as email phishing and social engineering, the researchers said.
The targets included Tzipi Livni, a former minister of justice and minister of foreign affairs, in addition to a unnamed former Israeli military official and a former US ambassador to Israel, Check Point researchers said in a report published Tuesday. The researchers only specified Livni by name, and gave descriptions of the other people targeted.
The goal was to steal personal information, scan passports and gain access to their mail accounts, said Sergey Shykevich, threat intelligence group manager at Check Point.
In one example provided by Check Point, Livni received an email from a former senior official in the Israeli Defense Forces. The emails were sent from that official’s genuine email address, suggesting the account was compromised and being used by the alleged Iranian hackers.
The attackers’ strategy was to use a compromised email account to create a rapport with the recipient, the researchers said. After a few messages, the hackers would include links to malicious documents or phishing pages.
In the case of Livni, the hacker posing as the former military official asked her several times to open a document using her email password, at which point Livni grew suspicious. She realized the messages were fake after speaking in person to the former military official with whom she thought she’d been corresponding, according to Check Point.
“The operation implements a very targeted phishing chain that is specifically crafted for each target,” Shykevich said.
Check Point determined that the phishing campaign was linked to Iran because the attacker used a domain name that was also used in an Iranian campaign that targeted attendees of the 2020 Munich Security conference, according to Shykevich. Microsoft Corp. previously linked the campaign to Iranian hackers.
Some the phishing attacks succeeded in obtaining personal information and passport scans of its targets, Shykevich said.
The Check Point researchers attributed the attacks to a specific group of Iranian hackers dubbed Phosphorus, sometimes referred to as APT35 or Charming Kitten by computer security researchers.
In 2019, Microsoft accused Phosphorus hackers of targeting accounts associated with a US presidential campaign.
©2022 Bloomberg L.P.