Iranian phishing attack said to target top Israeli officials, former US ambassador

Iranian hackers recently led a spear-phishing operation against high-ranking Israeli and Israeli-linked targets, including former foreign minister Tzipi Livni and a former U.S. ambassador to the Jewish state, an Israeli cybersecurity firm said Tuesday.

In a statement, Check Point Research described the attack, saying it employed a wide array of fake email accounts to impersonate trusted parties, take over the targets’ accounts, steal information and use it to attack new targets. In many cases, the email correspondence or documents linked to by the attackers referenced security issues related to Iran and Israel.

Check Point said its analysis led it to believe the attack was perpetrated by an Iranian group called Phosphorus, which has a long history of conducting high-profile cyber operations aligned with Tehran’s interests as well as targeting Israeli officials.

The targets were not named by Check Point to protect their privacy, with the exception of Livni, who agreed to let her name be published. The list of targets also included a well-known former major general in the Israel Defense Forces who served in a “highly sensitive position,” the current chairperson of one of Israel’s leading security think tanks, the former chairperson of a well-known Middle East research center, and a senior executive in the Israeli defense industry.

According to the statement, the hackers “performed an account takeover of some victims’ inboxes and then hijacked existing email conversations to start attacks from an already existing email conversation between a target and a trusted party and continue that conversation in that guise.”

They created a fake URL shortener website to disguise the phishing links, calling it Litby[.]us – apparently trying to resemble the popular Bitly URL shortening service. They also utilized a legitimate identity verification service, validation.com, for the theft of identity documents.

“The visible purpose of this operation appears to be gaining access to victims’ inboxes, their personally identifiable information and their identity documents,” Check Point said.

Opposition leader Tzipi Livni attends a faction meeting in the Knesset on November 19, 2018. (Miriam Alster / FLASH90)

Livni, a former diplomat and veteran politician who served as foreign minister, deputy prime minister and justice minister, was contacted via email by someone impersonating the former IDF major general, who was using the latter’s authentic email account after gaining control of the account.

The email contained a link to a file that the attacker asked Livni to open. “When she delayed doing so, the attacker approached her several times asking her to open the file using her email password,” piquing her suspicions, according to Check Point.

Emails from the genuine account of a former IDF major general sent to former foreign minister Tzipi Livni, as part of an alleged Iranian spear phishing attack. (Check Point Research / courtesy)

“When she met the former major general and asked him about the email, it was confirmed that he never sent such an email to her,” the statement said. “She then approached Check Point to investigate this suspicious event.”

In another case, the attackers impersonated an American diplomat who previously served as the US ambassador to Israel, and targeted the security think tank chairperson. They initiated email correspondence that followed up on a genuine copy-pasted thread between the two officials from two weeks earlier, that was stolen from the inbox of one of them.

An email exchange between an alleged Iranian hacker impersonating a former US ambassador to Israel, and the chairperson of one of Israel’s leading think tanks. (Check Point Research / courtesy)

Check Point said the campaign had several characteristics to indicate it was run by an Iran-backed entity, including a fake Yahoo login page copied from an Iranian IP address, and a commented-out section of code that indicates it may also have been used in a previous attack by Phosphorus.

A fake Yahoo login page used in an alleged Iranian spear phishing attack. (Check Point Research / courtesy)

The news came two days after Hebrew media reported that Israeli and Turkish security agencies had last month uncovered an Iranian plot to kidnap Israeli tourists in Turkey and foiled it in the nick of time. Israel has since issued a top-level travel warning to Istanbul.

Last month, the Shin Bet security agency said it had uncovered and foiled an attempt by Iranian operatives to lure Israeli academics, businesspeople and former defense officials abroad, in an effort to kidnap or otherwise harm them.

Also in May, the Shin Bet said it uncovered an Iranian operation that tried to recruit Israeli civilians to collect information on targets in Israel, using a fake social media profile.

The Shin Bet has warned that Iranian intelligence is constantly looking to recruit Israelis through the internet in order to collect information about the country.

Last year, an Israeli man was nearly tricked by an Iranian operative into traveling to the United Arab Emirates, but called off his trip after hearing Iranian efforts to kidnap or otherwise harm Israeli citizens.

In 2020, the Shin Bet arrested another Israeli citizen suspected of spying for Iran.

It’s not (only) about you.

Supporting The Times of Israel is not a transaction for an online service, like subscribing to Netflix. The ToI Community is for people like you who care about a common good: ensuring that balanced, responsible coverage of Israel continues to be available to millions across the world, for free.

Sure, we’ll remove all ads from your page and you’ll gain access to some amazing Community-only content. But your support gives you something more profound than that: the pride of joining something that really matters.

Join the Times of Israel Community Join our Community Already a member? Sign in to stop seeing this

You’re a dedicated reader

That’s why we started the Times of Israel ten years ago – to provide discerning readers like you with must-read coverage of Israel and the Jewish world.

So now we have a request. Unlike other news outlets, we have not put up a paywall. But as the journalism we do is costly, we invite readers for whom The Times of Israel has become important to help support our work by joining The Times of Israel Community.

For as little as $ 6 a month you can help support our quality journalism while enjoying The Times of Israel AD-FREEas well as accessing exclusive content available only to Times of Israel Community members.

Thank you,
David Horovitz, Founding Editor of The Times of Israel

Join Our Community Join Our Community Already a member? Sign in to stop seeing this

Leave a Comment