Iran Spear-Phishers Hijack Email Conversations in New Campaign

Security researchers have uncovered a major new state-backed spear-phishing operation targeting multiple high-ranking Israeli and US officials.

Check Point traced the campaign to the Iranian Phosphorus APT group.

Dating back to at least December 2021, it has targeted former Israeli foreign minister and deputy Prime Minister Tzipi Livni; a former major general in the Israeli Defense Forces (IDF); and a former US ambassador to Israel.

Other targets included a senior executive in Israel’s defense industry and the chair of one of the country’s leading security think tanks, according to the report.

The methodology is fairly straightforward. The attacker compromises the inbox of a frequent contact of the target and then hijacks an existing conversation between the two. They then open a new spoofed email address impersonating the same contact, with a format resembling joe.doe.corp[@]gmail.com.

The attacker then attempts to continue the conversation using this new email address, exchanging multiple messages. Check Point added that real documents are sometimes used as part of the exchange to add legitimacy and relevance to the scam.

In one case, Livni was contacted by the ‘retired IDF major general’ via his real email address and repeatedly asked to click on a link in the message and use her password to open the linked file. When she met him at a later date, he confirmed never to have sent the email.

“We have exposed Iranian phishing infrastructure that targets Israeli and US public sector executives, with the goal to steal their personal information, passport scans, and steal access to their mail accounts,” explained Check Point threat intelligence group manager Sergey Shykevich.

“The most sophisticated part of the operation is the social engineering. The attackers use real hijacked email chains, impersonations of well-known contacts of the targets and specific lures for each target. The operation implements a highly targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks.”

Back in 2019, Microsoft claimed to have made a “significant impact” in its efforts to disrupt the Phosphorous group – also known as APT35 and Charming Kitten – after a court order allowed it to take control of 99 phishing domains used by the group.

The latest revelations prove how difficult it is to stop a determined state-funded adversary.

What’s Hot on Infosecurity Magazine?