Iranian Hackers Try Intercepting Israeli & US Government Emails

The Israeli cyber security company Check Point Software Technologies was recently alerted to the personalised spear-phishing hacking attempts on government officials. 

Iranian hackers sent fake targeted emails to senior Israeli and American officials and executives, including former Foreign Minister Tzipi Livni and a former US ambassador to Israel, according to the Israeli cyber security firm Check Point.

Check Point was told of the hacks by Tzipi Livni after she received a number of suspicious emails from an email address belonging to a well known former Major General in the IDF who had served in a highly sensitive position. 

The emails were poorly constructed and were written in broken Hebrew. The first email contained a link to a file, which the hackers asked Livni to open and read. When she didn’t, the hackers asked her a number of times to open the file using her email password, which caused her to have suspicions.

After meeting with the former Major General and confirming that he had never sent any such emails to her, she asked Check Point to investigate the incident.

“The spear-phishing infrastructure we exposed puts special focus on high-ranking Israeli officials in the midst of escalating tensions between Israel and Iran,” said the Check Point Report. “The visible purpose of this operation appears to be aimed at gaining access to victims’ inboxes, their personally identifiable information and their identity documents.”

In another case found by Check Point, the Iranian hackers impersonated an American diplomat who had previously served as the US ambassador to Israel in order to target a chairperson of one of Israel's leading security think tanks. The emails by the hackers were also written in poor English.

The hackers created a fake URL shortener service called Litby.us in order to carry out their attacks. The fake service doesn't function and if you try to create a new short URL it asks you to register for the service and send an email. Check Point suspects that once victims enter their account ID, the phishing backend server would send a password recovery request to Yahoo and the hackers would use the authentication code to gain access to the victim's inbox.

Check Point's analysis found an indication that the attacker obtained the scan of the passport of a high profile target and their research has exposed a string of phishing attempts by hackers who targeted envoys, politicians, defense officials, academics, and businesspeople. High profile targets of this operation include:  

  • Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel
  • Former Major General who served in a highly sensitive position in the Israeli Defense Forces (IDF)
  • Chair of one of Israel’s leading security think tanks
  • Former US Ambassador to Israel
  • Former Chair of a well known Middle East research centre
  • Senior executive in the Israeli defense industry

Check Point has linked the attack to an Iranian-backed entity because its primary targets were Israeli officials and because a comment in the source code of the phishing page included a domain that has been used by an Iranian hacker group called Phosphorus. The Iranian Phosphorus hacker group has impersonated trustworthy people in the past in attempts to solicit sensitive information from journalists, think tank experts and senior professors. 

  • A report published by the cyber security company Proofpoint in July 2021 discovered that Phosphorus had impersonated British scholars at the University of London's School of Oriental and African Studies.
  • The Phosphorus group has also targeted medical professionals in past attacks. In February 2022, the cyber security firm Cybereason reported an increase in activity by the Phosphorus group, saying that multiple attacks were carried out by the group by exploiting Microsoft Exchange Server vulnerabilities at the end of 2021.
  • In 2019, Microsoft accused Phosphorus hackers of targeting accounts associated with a US presidential campaign.

The group began using a new set of tools that they had developed at the beginning of 2022, including a backdoor for the PowerShell scripting language and a number of open-source tools. Cybereason also found an IP address potentially linking the group to the Memento Ransomware and other tools.

CheckPoint:       JPOst:    Israel Hayom:     Algemeiner:     Daily Caller:    Bloomberg:     Haaretz

You Might Also Read: 

Israel & Iran Locked In Cyber Conflict:
 

« Ransomware Is Driving Cyber Security Professionals To Consider Quitting
A New Era of Ransomware »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Korea Information Security Industry Association (KISIA)

Korea Information Security Industry Association (KISIA)

KISIA is a non-profit organization for the information security industry in Korea.

ThreatQuotient

ThreatQuotient

ThreatQuotient delivers an open and extensible threat intelligence platform to provide defenders the context, customization and collaboration needed for increased security effectiveness.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

ChainSecurity

ChainSecurity

ChainSecurity provides products and services for securing smart contracts and blockchain protocols and conducts R&D in the areas of security, program analysis, and machine learning.

Onsist

Onsist

Onsist brand protection services provide proactive defense against fraudulent use of your brand online.

Q-Net Security

Q-Net Security

Protect your critical networks. Q-Net Security make hardware that provides the strongest drop-in security for your existing critical infrastructure.

Q6 Cyber

Q6 Cyber

Q6 Cyber is an innovative threat intelligence company collecting targeted and actionable threat intelligence related to cyber attacks, fraud activity, and existing data breaches.

MetaCert

MetaCert

MetaCert’s Zero Trust browser software reduces the risk of organizations being compromised with a phishing-led cyberattack by more than 98%.

Cyber Security Canada

Cyber Security Canada

Cyber Security Canada is an accredited Certification Body for government-backed Cyber Security Certification Programs, designed specifically for small and medium-sized Canadian businesses.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

RealTyme

RealTyme

RealTyme is a secure communication and collaboration platform with privacy and human experience at its core.

Red Goat Cyber Security

Red Goat Cyber Security

Red Goat Cyber Security have created excellent, informative and interactive Social Engineering Awareness training which is suitable for all levels of staff.

Xmirror Security

Xmirror Security

Xmirror Security focuses on integrated detection and defense of the continuous threat to the DevSecops software supply-chain with artificial intelligence technology as the core.

Visory

Visory

Great businesses depend on great technology. We make sure our clients go to market with enterprise-level technology and world-class security for their data and infrastructure.

The CyberWire

The CyberWire

The CyberWire gets people up to speed on cyber quickly and keeps them a step ahead in a continually changing industry.

UPSTACK

UPSTACK

UPSTACK - One partner, end-to-end expertise, helping develop the solutions you need – when you need them.