A major new state-backed spear-phishing operation targeting multiple high-ranking Israeli and US officials has been uncovered by security researchers.
The campaign has been traced to the Iranian Phosphorus ATP group, according to Check Point.
It has targeted former Israeli foreign minister and deputy Prime Minister Tzipi Livni, a former US ambassador to Israel, and a former major general in the Israeli Defence Forces (IDF). These have been dated back to at least December 2021.
The attacker compromises the inbox of a frequent contact of the target and then hijacks an existing conversation between the two. They then open a new spoofed email address impersonating the same contact.
The attacker then attempts to continue the conversation, across multiple messages, using this spoofed address. Check Point noted that real documents are sometimes added to create a legitimate appearance.
In one case, Livni was contacted by the ‘retired IDF major general’ via his real email address and asked multiple times to click on a link and use her password to open the document. When she met him later on, he confirmed that he had never sent the email.
Check Point threat intelligence group manager Sergey Shykevich said: “We have exposed Iranian phishing infrastructure that targets Israeli and US public sector executives, with the goal to steal their personal information, passport scans, and steal access to their mail accounts.”
“The most sophisticated part of the operation is the social engineering. The attackers use real hijacked email chains, impersonations of well-known contacts of the targets and specific lures for each target. The operation implements a highly targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks.”
In 2019, Microsoft claimed to have disrupted the Phosphorous group (also known as APT35 and Charming Kitten) after a court order allowed it to take control of 99 phishing domains used by the group.