Iranian hackers targeted senior medical professionals specializing in genetic, neurology and oncology research in the US and Israel late last year, cybersecurity company Proofpoint reported on Tuesday.
The hackers, known as TA453 or CHARMING KITTEN and PHOSPHORUS, have historically aligned with the priorities of Iran's Islamic Revolutionary Guard Corps (IRGC), with attacks targeting dissidents, academics, diplomats and journalists, according to the report.
TA453's credential phishing campaign against the medical professionals, referred to as BadBlood, is a deviation from the group's usual activity and may represent a shift in their targeting or may just be for a short-term requirement.
The hackers used a Gmail account which was presented as belonging to prominent Israeli physicist and former president of the Weizmann Institute of Science, Daniel Zajfman. The emails had the subject line "Nuclear weapons at a glance: Israel" and used social engineering lures related to Israeli nuclear capabilities to trick recipients.
A link in the email led to a landing page spoofing Microsoft's OneDrive service, with a PDF document logo titled CBP-9075.pdf, according to Proofpoint. When users attempted to view and download the document, the page presents a fake Microsoft login page that attempted to collect the user's credentials. All the links on the page led to the same forged login page, except for the "Create one!" link which led to Microsoft Outlook's legitimate sign-up page.
It is unclear how the hackers used credentials they collected from this specific campaign, but in previous attacks, TA453 used harvested credentials to access email inbox content and even used compromised accounts for further phishing attacks.
Around 25 medical professionals at several medical research organizations in the US and Israel were targeted in the cyberattack. Proofpoint is as of yet unable to conclusively determine the motivation of the hackers in the most recent campaign, but theorized that it may be to collect specific medical information related to genetic, oncology or neurology research.The campaign may also demonstrate an interest in the patient information or in using the recipients' accounts in further campaigns, according to the internet security company.
The hackers attempted to use other domains to target others with a similar attack in December 2020, the Proofpoint report added, with the lures used involving similar, national security themes.
CYBERATTACKS HAVE targeted medical companies and professionals around the world since the coronavirus pandemic began last year.
Last May, Reuters reported that the Iranian hackers had targeted staff at US drugmaker Gilead Sciences Inc., which was working to develop a treatment for COVID-19 at the time. It is unclear whether the hackers were successful.
Additionally in May, a cyberattack unsuccessfully targeted Israeli research centers working on a coronavirus vaccine, according to Channel 12. Cyberattacks have been reported on other vaccine research centers around the world, including in the US and UK. Some of the attacks have been blamed on Russia and China.
In the last two months of 2020, cyberattacks on healthcare organizations rose 45%, mainly by hackers looking to extort hospitals for ransom, Check Point Software reported in January.
The hacking infrastructure used in the attempt had previously been used in attacks by TA453, Priscilla Moriuchi, director of strategic threat development at US cybersecurity firm Recorded Future, told Reuters at the time.
TA453 was also reportedly responsible for unsuccessfully targeting former US president Donald Trump's re-election campaign in 2019, according to Reuters. The hacking attempt targeted hundreds of accounts in Microsoft's cloud email service; four accounts that were not associated with an election campaign were compromised.
Microsoft's Digital Crimes Unit and the Microsoft Threat Intelligence Center have tracked TA453 since 2013, the company announced in 2019, adding that the group typically targeted businesses, government agencies, activists and journalists with attempts to entice targets to click on malicious links or enter credentials in fraudulent web forms pretending to belong to well-known online services.
Israel's National Cyber Directorate reported that it handled more than 11,000 inquiries on its 119 hotline in 2020, some 30% more than it handled in 2019. The directorate made about 5,000 requests to entities to handle vulnerabilities exposing them to attacks and was in contact with about 1,400 entities concerning attempted or successful attacks.
Zev Stub contributed to this report.