State-backed hacking groups from Russia and China have been dominating the news cycle as of late, but Iran is reminding the world that it has its own assembly of advanced persistent threat (APT) groups with an espionage campaign targeting high-level members of the government and military of the United States and Israel. The campaign uses spear phishing to gain access to emails, leveraging the account takeover to join in existing conversations and steer them toward supplying login credentials and intelligence.
Iranian spear phishing hits prominent government, IDF & research figures
The spear phishing campaign was uncovered by security firm Check Point Research (CPR) after being notified of suspicious emails by a prominent client in Israel. The security researchers believe it has been going on since at least December 2021 and has targeted a number of Israeli government and military leaders as well as a former US ambassador to Israel.
The goal of the account takeovers is espionage, but the hackers are not settling for quietly exfiltrating sensitive files and trying to move laterally into government networks. Instead, they are proactively engaging with email contacts and attempting to compromise them by impersonating the victim. There seems to be a specific focus on harvesting the personal information of these contacts and obtaining passport scans, with the hackers engaging in “lengthy” conversations impersonating the spear phishing victim to work their way toward this intel.
CPR researchers say that the evidence points toward the Iranian state-backed Phosphorus APT group (APT35) as the perpetrators of the account takeovers. Sometimes also called “Charming Kitten” or “NewsBeef,” the group has been in action since at least 2013 and ran a US election interference campaign in 2020. It also has a long history of spear phishing, though previously its preferred method was to attack via SMS texts.
These spear phishing attacks are highly targeted, with the APT group first breaking into the email account of a person known to be a regular contact of the ultimate intended victim. They find and hijack an existing email exchange between the contact and the target, posing as the account takeover victim as they slip into the middle and redirect the exchange to an external email address that they create. The hackers then keep up conversations with the target at this new email address, building trust and familiarity. The ultimate goal is to make the target the next victim of an account takeover by passing them a malicious document that prompts them for their email credentials as a login, often posing as some sort of research paper or an invitation to a conference.
Account takeover campaign uses a variety of tricks to gain trust
The hackers have clearly anticipated where scrutiny might be directed by targets and have techniques in place to obscure what they are doing. For example, the phishing links are disguised with a link shortener called “litby.us” and the verification service “validation.com” is used with certain documents. The phishing pages also mirror the accounts with which the document is supposed to be hosted.
The researchers think that the spear phishing campaign may have ultimately had more ambitious designs that simple account takeover; there is some evidence that the fake invitations to conferences might have actually been used to try to lure the target out of the country and then kidnap them.
At least one of the initial accounts ensnared by the spear phishing campaign was that of a former senior IDF official. This account was used to target former minister of justice and minister of foreign affairs Tzipi Livni, who reported a series of suspicious emails to Check Point to kick off this investigation. Posing as the military official, the hackers repeatedly tried to get Livni to use her email account credentials to access a password-protected document.
Aside from the target selection, Check Point bases the attribution to Phosphorous on the use of a domain name that the threat group had previously used in a 2020 attack on the Munich Security Conference. Taking place in October of that year, that campaign was quite similar to this present one as it focused on spoofed emails and account takeovers. The Munich hackers sent spoofed emails to specific high-level targets, which appeared to be invitations to conference events. They sought to redirect the user to a harvesting page that asked for their email login credentials and would exfiltrate the entire contents of the victim’s mailbox when successful.
The incident serves as a reminder that the biggest and most capable threat groups in the world are willing to target private entities and citizens as part of their overall espionage and cyber warfare strategies, as Rajiv Pimplaskar (CEO of Dispersive Holdings) notes: “The Iranian as well as the IRS spear phishing operations are yet another example of how nation state sponsored actors are starting to dominate the threat landscape. Such threat actors are often more sophisticated, have a lot more resources, are economically and / or politically motivated and can afford to play a “long game” of Steal Now Decrypt Later (SNDL). Sensitive data has a long tail and spear phishing is often employed as a strategy in conjunction with other Man in The Middle (MiTM) attacks to maximize chances of privilege escalation and lateral movement. Governments and businesses need to be mindful of the new cyber cold war where nation state sponsored attacks are proxy warfare in place of actual conflicts. Consequently, existing cyber defenses need to be bolstered with enhanced policies, training as well as endpoint and network security protection such as a next gen VPN to combat the increased threat of nation state actors.”