HOME
NEWS

Iranian Spear Phishing Operation Targets Former Israeli Foreign Minister


By VARINDIA - 2022-06-15
Iranian Spear Phishing Operation Targets Former Israeli Foreign Minister

Check Point Research (CPR) exposes an Iranian spear-phishing operation targeting high-profile Israeli and US executives. The attackers hijacked emails of senior people in Israel and then used it to target other high-level officials to steal personal information. Targets have included former Israeli Foreign Minister, Tzipi Livni, the former US Ambassador to Israel, former Major General of the IDF, and three others. In addition, the attackers hijacked existing email exchanges and swapped emails to new ones, pretending to be someone else, to trick their targets into speaking to them. CPR believes the goal of the operation is to steal personal information, passport scans and access email accounts. CPR’s findings come at a time of rising tensions between Israel and Iran, where former attempts by Iran to lure Israeli targets via email have occurred.

 

Operation dates to at least December 2021

Attackers impersonated email accounts of trusted contacts in the format of joe.doe.corp@gmail.com

Findings suggest the operation is connected to the Iran-attributed Phosphorus APT group


Check Point Research (CPR) has exposed an Iranian spear-phishing operation targeting high-profile Israeli and US executives. As part of their operations, the attackers take over existing accounts of the executives and create fake impersonating accounts to lure their targets into long email conversations. CPR believes the goal of the operation is to steal personal information, passport scans, and access to email accounts. CPR sees that the operation dates to at least December 2021 but assumes earlier.

 

High profile targets include:

Tzipi Livni - former Foreign Minister and Deputy Prime Minister of Israel

Former Major General who served in a highly sensitive position in the IDF

Chair of one of Israel’s leading security think tanks

Former US Ambassador to Israel

Former Chair of a well known Middle East research center

Senior executive in the Israeli defense industry

 

Attack Methodology

The attacker takes over a real e-mail account of a frequent contact of the target

The attacker proceeds to hijack an existing email conversation

The attackers then open a fake email to impersonate the contact of the target, mostly in the format of joe.doe.corp@gmail.com.

The attackers continue the hijacked conversation from the fake email and exchanges at least several emails with the target

Some of the emails include a link to a real document that is relevant to the target. e.g, invitation to a conference or research / phishing page of Yahoo/ link to upload document scans

 

Example Emails: Tzipi Livni, Former Israeli Foreign Minister

Livni was approached via email by someone impersonating a well-known former Major General in the IDF who served in a highly sensitive position. The email was sent from his genuine email address which had previous correspondence with her in the past. The email contained a link to a file which the attacker requested her to open and read. When she delayed doing so, the attacker approached her several times asking her to open the file using her email password. This prompted her suspicions. When she met the former Major General and asked him about the email, it was confirmed that he never sent such an email to her.

Figure 1. Email to Tzipi Livni on Day 1

Figure 2. Email to Tzipi Livni on Day 6

Attribution

CPR believes that the threat actors behind the operation are an Iranian-backed entity. Evidence points to a possible connection of the operation to the Iran-attributed Phosphorus APT group. The group has a long history of conducting high-profile cyber operations, aligned with the interest of the Iranian regime, as well as targeting Israeli officials.

 

Quote: Manish Alshi, Head of Channels and Growth Technologies - India & SAARC, Check Point Software Technologies:

“We have exposed Iranian phishing infrastructure that targets Israeli and US public sector executives, with the goal to steal their personal information, passport scans, and steal access to their mail accounts.
We have solid evidence that it started at least from December 2021 ; but we assume that it started earlier. The most sophisticated part of the operation is the social engineering. The attackers use real hijacked email chains, impersonations to well-known contacts of the targets and specific lures for each target. The operation implements a very targeted phishing chain that is specifically crafted for each target. In addition, the aggressive email engagement of the nation state attacker with the targets is rarely seen in the nation state cyber-attacks. CPR will continue to monitor the operation.”

See What’s Next in Tech With the Fast Forward Newsletter

SECURITY
View All
Zscaler announces AI innovations to its Data Protection Platform
Technology

Zscaler announces AI innovations to its Data Protection Platform

by VARINDIA 2024-05-20
SHIELD to enhance Swiggy’s fraud prevention and detection capabilities
Technology

SHIELD to enhance Swiggy’s fraud prevention and detection capabilities

by VARINDIA 2024-05-20
Axis Communications announces its first thermometric camera designed for Zone/Division 2
Technology

Axis Communications announces its first thermometric camera designed for Zone/Division 2

by VARINDIA 2024-05-20
SOFTWARE
View All
Hitachi Vantara and Veeam announce Global Strategic Alliance
Technology

Hitachi Vantara and Veeam announce Global Strategic Alliance

by VARINDIA 2024-05-16
Adobe launches Acrobat AI Assistant for the Enterprise
Technology

Adobe launches Acrobat AI Assistant for the Enterprise

by VARINDIA 2024-05-11
Oracle Database 23ai offers the power of AI to Enterprise Data and Applications
Technology

Oracle Database 23ai offers the power of AI to Enterprise Data and Applications

by VARINDIA 2024-05-10
START - UP
View All
Data Subject Access Request is an integrated module within ID-REDACT®
Technology

Data Subject Access Request is an integrated module within ID-REDACT®

by VARINDIA 2024-04-30
SiMa.ai Secures $70M Funds from Maverick Capital
Technology

SiMa.ai Secures $70M Funds from Maverick Capital

by VARINDIA 2024-04-05
Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure
Technology

Sarvam AI collaborates with Microsoft to bring its Indic voice LLM to Azure

by VARINDIA 2024-02-08

Tweets From @varindiamag

CIO - SPEAK
Automation has the potential to greatly improve efficiency and production

Automation has the potential to greatly improve efficiency and production

by VARINDIA
Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

Various approaches are followed to enhance efficiency, productivity, and cost-effectiveness

by VARINDIA
Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

Technology can be leveraged in several ways to boost efficiency, productivity and reduce cost

by VARINDIA
Start-Up and Unicorn Ecosystem
GoDaddy harnesses AI power for new domain name recommendations

GoDaddy harnesses AI power for new domain name recommendations

by VARINDIA
UAE’s du Telecom selects STL as a strategic fibre partner

UAE’s du Telecom selects STL as a strategic fibre partner

by VARINDIA
JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

JLR and Dassault Systèmes extend partnership for All Vehicle Programs worldwide

by VARINDIA
Rapyder partners with AWS to accelerate Generative AI led innovation

Rapyder partners with AWS to accelerate Generative AI led innovation

by VARINDIA
ManageEngine integrates its SIEM solution with Constella Intelligence

ManageEngine integrates its SIEM solution with Constella Intelligence

by VARINDIA
Elastic replaces traditional SIEM game with AI-driven security analytics

Elastic replaces traditional SIEM game with AI-driven security analytics

by VARINDIA
Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

Infosys and ServiceNow to transform customer experiences with generative AI-powered solutions

by VARINDIA
Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

Crayon Software Experts India inaugurates its ISV Incubation Center in Kolkata

by VARINDIA
Dassault Systèmes to accelerate EV charging infrastructure development in India

Dassault Systèmes to accelerate EV charging infrastructure development in India

by VARINDIA
Tech Mahindra and Atento to deliver GenAI powered business transformation services

Tech Mahindra and Atento to deliver GenAI powered business transformation services

by VARINDIA