An advanced persistent threat group, with ties to Iran, is believed behind a phishing campaign targeting high-profile government and military Israeli personnel, according to a report by Check Point Software.
Targets of the campaign included a senior leadership in the Israeli defense industry, the former U.S. Ambassador to Israel and the former Deputy Prime Minister of Israel.
The goal of the campaign, the researchers said, was to obtain personal information from targets.
Fake Emails from Legit Addresses
One of the targets, according to Check Point, is Tzipi Livni, Israel’s former foreign minister, minister of justice and vice prime minister. Researchers believe that the target was selected because of the high-caliber list of contacts in her address book.
Not long ago she received an email from, according to the researchers, “a well-known former Major General in the IDF who served in a highly sensitive position.” The sender address was not spoofed – it was the same domain she’d corresponded with before. Translated from Hebrew, the message read:
Hello my dear friends, Please see attached article to summarize the year. ((*eyes only*)) Of course I don’t want it to be distributed, because it is not the final version. I would be happy to receive remarks of any kind. Have a great rest of the day.
The message contained a link. Livni delayed in clicking the link, prompting several follow-up emails.
Good morning, I haven’t heard from you. Some friends sent me remarks. Your remarks are also very important to me. I know you are very busy. But I wanted to ask you to take your time and read the article. Good week
The persistence of the sender and flurry of messages raised her suspicions, according to Check Point. After Livni met with the former Major General, it became clear that the emails were sent from a compromised account and the contents of the messages were part of a phishing attack.
It was a similar story for the other targets in this campaign – suspect emails were being sent from legitimate contacts.
What Really Happened
The method of attack wasn’t particularly technical. “The most sophisticated part of the operation is the social engineering,” Sergey Shykevich, threat intelligence group manager at Check Point Research, noted. He said, the campaign was “a very targeted phishing chain that is specifically crafted for each target.” Personally crafted phishing emails is a technique called spear phishing.
The attackers initiated their spear phishing attacks, first by compromising an email address book belonging to a contact of their target. Then, using the hijacked account, they’d continue an already existing email chain between the contact and the target. In time, they’d steer the conversation towards conning the target to clicking on or opening a malicious link or document.
“Some of the emails include a link to a real document that is relevant to the target,” Check Point’s analysts noted. For example, an “invitation to a conference or research, phishing page of Yahoo, link to upload document scans.”
“The goal,” in the end, was “to steal their personal information, passport scans, and steal access to their mail accounts.”
Who and Why
“We have solid evidence that it started at least from December 2021,” Shykevich wrote, “but we assume that it started earlier.”
In their analysis, the researchers found evidence they believe points to the Iran-linked Phosphorus APT group (a.k.a. Charming Kitten, Ajax Security, NewsBeef, APT35). Phosphorus is one of Iran’s most active APTs, with “a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.”
Iran and Israel are usually at odds, and these attacks came “in the midst of escalating tensions between Israel and Iran. With recent assassinations of Iranian officials (some affiliated with the Israeli’s Mossad), and the thwarted attempts to kidnap Israeli citizens worldwide, we suspect that Phosphorous will continue with its ongoing efforts in the future.”