Iranian hackers targeted the emails of senior Israeli and American officials and executives, including former foreign minister Tzipi Livni and a former US ambassador to Israel, according to the Israeli cybersecurity firm Check Point.
Check Point was alerted to the hacking attempts by Livni after she received a number of suspicious emails from an email address belonging to a well known former major general in the IDF who served in a highly sensitive position. The emails were written in somewhat broken Hebrew.
The first email contained a link to a file which the attacker asked her to open and read. When she delayed doing so, the attacker urged her several times to open the file using her email password, prompting her suspicions.
After meeting with the former major general and confirming that he had never sent any such emails to her, she asked Check Point to investigate the incident.
In another case found by Check Point, the Iranian hackers impersonated an American diplomat who had previously served as the US ambassador to Israel in order to target a chairperson of one of Israel's leading security think tanks. The emails by the hackers were also written in broken English.
The hackers created a fake URL shortener service called Litby.us in order to carry out their attacks. The fake service doesn't function and if you try to create a new short URL it asks you to register for the service and send an email.
The shortened links sent to the targets were personalized for each target, leading to phishing pages – which pretend to be a trusted entity meant to trick targets into revealing sensitive information – also personalized for each target. The phishing pages asked users for their account ID followed by an SMS code verification page.
Check Point suspects that once victims enter their account ID, the phishing backend server would send a password recovery request to Yahoo and the hackers would use the authentication code to gain access to the victim's inbox.
The attackers also used the legitimate service validation.com to steal identity documents from some of the victims. Check Point's analysis found an indication that the attacker obtained the scan of the passport of a high end target.
Check Point also found that the attackers used a Gmail account to impersonate a professor from the Jerusalem Institute for Strategy and Security (JISS).
The Israeli cybersecurity firm linked the attack to an Iranian-backed entity because its primary targets were Israeli officials and because a comment in the source code of the phishing page included a domain that has been used by an Iranian hacker group called Phosphorus.
In one of the cases analyzed by Check Point, the hackers invited the target to a "Skier's Roundtable" event at a ski lodge in Utah. Check Point theorized that attackers may have been trying to lure the target abroad in order to target them in a ground operation, similar to past attempts by Iran.
The latest attempt by Iranian hackers to target Israel
The Check Point report comes just a month after the Shin Bet revealed that Iranian intelligence operatives were attempting to lure Israeli businessmen and academics abroad in order to kidnap or harm them, as well as to gather intelligence.
The Iranian operatives in that attack stole the identities of foreign and Israeli academics, journalists, reserve officers, businessmen and philanthropists and used the stolen identities and relevant cover stories in order to gather intelligence about Israelis and to lure them to locations abroad in order to kidnap or harm them.
The operatives would send an email from an address that was similar to the authentic address used by the person whose identity had been stolen, changing just a letter or symbol, before asking the target to switch to a WhatsApp conversation. The operatives used real information that could be verified by a check on the Internet.
Phosphorus's track record
The Iranian Phosphorus hacker group has impersonated trustworthy people in the past in attempts to solicit sensitive information from journalists, think tank experts and senior professors, with a report published by the cybersecurity company Proofpoint last July finding that they impersonated British scholars with the University of London's School of Oriental and African Studies (SOAS).
The Phosphorus group has also targeted medical professionals in past attacks.
In that attack they also used a compromised site to try and harvest information from targets. The hackers conducted lengthy conversations with their targets before delivering the false links. They also tried to attack the personal email account of at least one of the targets.
In February, the cybersecurity firm Cybereason reported an uptick in the activity of the Phosphorus group, saying that multiple attacks were carried out by the group by exploiting Microsoft Exchange Server vulnerabilities at the end of 2021.
The group began using a new set of tools that they had developed at the beginning of 2022, including a backdoor for the PowerShell scripting language and a number of open-source tools. Cybereason also found an IP address potentially linking the group to the Memento Ransomware and other tools.