Iranian Hackers Try Intercepting Israeli & US Government Emails

Uploaded on 2022-07-19 in INTELLIGENCE-Hot Spots-Iran, FREE TO VIEW

The Israeli cyber security company Check Point Software Technologies was recently alerted to the personalised spear-phishing hacking attempts on government officials. 

Iranian hackers sent fake targeted emails to senior Israeli and American officials and executives, including former Foreign Minister Tzipi Livni and a former US ambassador to Israel, according to the Israeli cyber security firm Check Point.

Check Point was told of the hacks by Tzipi Livni after she received a number of suspicious emails from an email address belonging to a well known former Major General in the IDF who had served in a highly sensitive position. 

The emails were poorly constructed and were written in broken Hebrew. The first email contained a link to a file, which the hackers asked Livni to open and read. When she didn’t, the hackers asked her a number of times to open the file using her email password, which caused her to have suspicions.

After meeting with the former Major General and confirming that he had never sent any such emails to her, she asked Check Point to investigate the incident.

“The spear-phishing infrastructure we exposed puts special focus on high-ranking Israeli officials in the midst of escalating tensions between Israel and Iran,” said the Check Point Report. “The visible purpose of this operation appears to be aimed at gaining access to victims’ inboxes, their personally identifiable information and their identity documents.”

In another case found by Check Point, the Iranian hackers impersonated an American diplomat who had previously served as the US ambassador to Israel in order to target a chairperson of one of Israel's leading security think tanks. The emails by the hackers were also written in poor English.

The hackers created a fake URL shortener service called Litby.us in order to carry out their attacks. The fake service doesn't function and if you try to create a new short URL it asks you to register for the service and send an email. Check Point suspects that once victims enter their account ID, the phishing backend server would send a password recovery request to Yahoo and the hackers would use the authentication code to gain access to the victim's inbox.

Check Point's analysis found an indication that the attacker obtained the scan of the passport of a high profile target and their research has exposed a string of phishing attempts by hackers who targeted envoys, politicians, defense officials, academics, and businesspeople. High profile targets of this operation include:  

  • Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel
  • Former Major General who served in a highly sensitive position in the Israeli Defense Forces (IDF)
  • Chair of one of Israel’s leading security think tanks
  • Former US Ambassador to Israel
  • Former Chair of a well known Middle East research centre
  • Senior executive in the Israeli defense industry

Check Point has linked the attack to an Iranian-backed entity because its primary targets were Israeli officials and because a comment in the source code of the phishing page included a domain that has been used by an Iranian hacker group called Phosphorus. The Iranian Phosphorus hacker group has impersonated trustworthy people in the past in attempts to solicit sensitive information from journalists, think tank experts and senior professors. 

  • A report published by the cyber security company Proofpoint in July 2021 discovered that Phosphorus had impersonated British scholars at the University of London's School of Oriental and African Studies.
  • The Phosphorus group has also targeted medical professionals in past attacks. In February 2022, the cyber security firm Cybereason reported an increase in activity by the Phosphorus group, saying that multiple attacks were carried out by the group by exploiting Microsoft Exchange Server vulnerabilities at the end of 2021.
  • In 2019, Microsoft accused Phosphorus hackers of targeting accounts associated with a US presidential campaign.

The group began using a new set of tools that they had developed at the beginning of 2022, including a backdoor for the PowerShell scripting language and a number of open-source tools. Cybereason also found an IP address potentially linking the group to the Memento Ransomware and other tools.

CheckPoint:       JPOst:    Israel Hayom:     Algemeiner:     Daily Caller:    Bloomberg:     Haaretz

You Might Also Read: 

Israel & Iran Locked In Cyber Conflict:
 

« Ransomware Is Driving Cyber Security Professionals To Consider Quitting
A New Era of Ransomware »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Intercede

Intercede

Intercede is a cybersecurity company specializing in digital identities, derived credentials and access control, enabling digital trust in a mobile world.

MetricStream

MetricStream

MetricStream provide integrated GRC solutions across business, IT, and security functions.

VKANSEE

VKANSEE

VKANSEE offer the world's thinnest optical fingerprint sensor for mobile device protection.

Securitybulls

Securitybulls

Securitybulls is an information security firm offering an encyclopedic penetration testing & IT security assessment service for your organization.

Viscount Systems

Viscount Systems

Viscount Systems is a global security software solutions company that is changing the way access control is deployed and managed in the enterprise.

Fyde

Fyde

Fyde helps companies with an increasingly distributed workforce mitigate breach risk by enabling secure access to critical enterprise resources.

Global Lifecycle Solutions EMEA (Global EMEA)

Global Lifecycle Solutions EMEA (Global EMEA)

Global EMEA provides full lifecycle services to corporate Clients covering procurement, configuration, support, maintenance and end-of-life asset management.

Cyber@StationF

Cyber@StationF

Cyber@StationF is an up to 6 months international startup acceleration programme, whose members provide solutions for the Cybersecurity industry.

Adyta

Adyta

Adyta specializes in cybersecurity solutions adapted to the needs of sovereign institutions, business groups and other organizations that handle information and sensitive or classified data.

TrustMAPP

TrustMAPP

TrustMAPP automates cybersecurity & privacy assessments, with universal workflow, allowing teams to generate analytics and recommendations to align priorities for improvement.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Cyber Lockout

Cyber Lockout

Comprehensive ransomware insurance and preventative cybersecurity technology solution, working together to help protect businesses 24/7/365.

Silicon Labs

Silicon Labs

Silicon Labs are a leader in secure, intelligent wireless technology for a more connected world. We provide award-winning hardware and software security to help safeguard connected devices.

Sansec

Sansec

Sansec is the global leader in eCommerce malware and vulnerability detection. We help you to stay ahead of hackers!

SecurIT360

SecurIT360

SecurIT360 is a full-service specialized Cyber Security and Compliance consulting firm.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.