A spear-phishing campaign has been exposed that targeted several high-ranking officials from the U.S. and Israel, as well as research institution fellows, think tanks and Israeli citizens.
The attack, which started back in December and has continued until recently, involved customized phishing infrastructure, as well as both a web of fake email accounts for impersonating legitimate third parties and account takeover attacks where threat actors hijacked victims’ inboxes and inserted themselves in existing email conversations to establish trusted communications with further victims. Sergey Shykevich, threat intelligence group manager at Check Point Research, said that the attacks were "very targeted," with each spear-phishing message having its own specific chain of phishing pages customized to the victim. Researchers with Check Point Research noted a connection in the campaign to the Iran-linked Phosphorus APT group.
“The visible purpose of this operation appears to be aimed at gaining access to victims’ inboxes, their Personally Identifiable Information (PII) and their identity documents,” said researchers with Check Point Research in a Tuesday analysis. However, they also said, it’s important to note that “the spear-phishing infrastructure we exposed... puts special focus on high-ranking Israeli officials in the midst of escalating tensions between Israel and Iran.”
Several victims were targeted as part of the attack, including Tzipi Livni, the former Israel foreign minister and vice prime minister (serving between 2006 to 2009), as well as a former major general for the Israeli defense forces and a former U.S. ambassador to Israel. Shykevich said some of these victims are also research fellows in prestigious research institutes that deal with security studies, "making them perfect targets."
"Those targets are still well known public figures and involved as advisors to many decision makers; but because they are 'former,' they are already not protected by security services the way they were protected previously," he said.
“The most sophisticated part of the operation is the social engineering... The operation implements a very targeted phishing chain that is specifically crafted for each target."
In the incident involving the latter victim, the threat actor impersonated the unnamed American diplomat who previously had served as the ambassador of the U.S. to Israel. Researchers believe the end goal of this attack was to target a chair of an unnamed Israeli security think tank. Here, attackers used email thread hijacking in order to send the victim emails from the diplomat’s email account, with a request to review a linked document about an Iran nuclear deal. The link redirected the victim to a website purporting to be a URL shortener service (Litby[.]us - an apparent attempt to resemble bitly.com). The webpage would redirect victims to a phishing webpage mimicking a legitimate service like Yahoo, OneDrive or Google Drive.
“The phishing pages include several stages- asking the user for their account ID followed by an SMS code verification page,” said researchers. “It is interesting to note that the truncated phone number within the phishing page was customized specifically for the target, and it corresponds to the public records.”
Other lures used in the attack included an invitation to an overseas “Skier’s Roundtable” event and a message purporting to be from a well-known former major general in the Israeli defense forces with an attached annual overview. Attackers also leveraged a legitimate identity verification service, which allows anyone to validate customer identities by providing an option to scan IDs or documents, in order to obtain passport scans of one high-end target.
“The most sophisticated part of the operation is the social engineering,” said researchers. “The operation implements a very targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks.”
Researchers linked the source code used in one of the phishing pages from the attack to an HTML page used by the Phosphorus Iran-linked APT group for credential harvesting purposes in a previous attack. Phosphorus (also linked to activity known as Cobalt Mirage and TunnelVision) has previously conducted ransomware and espionage attacks on U.S. and Israeli-based organizations over the past few months, including a local government network and a philanthropic organization.
“The group has a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials,” said researchers.