18:22 GMT15 April 2021
Listen Live
    Get short URL

    The cybersecurity company said it could not directly link the actions of the cybercriminals with Tehran, but alleged an attack on Israeli-based specialists would be "consistent" with increased geopolitical tensions between Israel and Iran.

    The hacker group TA453, also known as "Charming Kitten" and "Phosphorus", targeted 25 "senior professionals" specialising in genetic, neurology, and oncology research based in Israel and the US in 2020, cybersecurity firm Proofpoint has said in a report. The company could not say what the hackers were planning to do with the data obtained in the course of the cybercampaign dubbed BadBlood, but noted that "Phosphorus" used credentials harvested in earlier attacks to extract emails and use compromised accounts in new cyber operations.

    Proofpoint cited outside reports linking "Phosphorus" to the Iranian government and its Islamic Revolutionary Guard Corps (IRGC), but stressed it could not "independently attribute TA453 to the IRGC". The cybersecurity company also noted that it could not "conclusively determine the motivation" of the hackers involved in the BadBlood campaign.

    Proofpoint said the techniques used to target the American and Israeli medical researchers in the 2020 attack were consistent with previous tactics used by "Phosphorus", but the group had never before conducted operations against such individuals. The cybersecurity company said TA453 had historically targeted "[Iranian] dissidents, academics, diplomats, and journalists", but suggested the BadBlood campaign could have been "a specific short-term intelligence collection requirement". Proofpoint added that a cybercampaign targeting Israeli individuals would also be "consistent" with geopolitical tensions between Israel and Iran, which intensified in 2020.

    Classic Phishing Attack

    During the BadBlood campaign, "Phosphorus" used a phishing attack to steal the credentials of the aforementioned medical professionals' Microsoft accounts, Proofpoint said. According to the cyberwatchdog, the hackers sent emails to their victims from an account masquerading as a prominent Israeli physicist and containing an invitation to read a report on the subject "Nuclear weapons at a glance: Israel".

    Proofpoint said the email contained a link that led to a fake page for Microsoft's cloud service OneDrive, which requested the user to enter their credentials thus allowing the hackers to obtain them without the users' knowledge – a classic approach in phishing attacks. The cybersecurity firm said the fake OneDrive page was not equipped with a means to bypass two-step authentication.

    This is not the first time Microsoft has allegedly been targeted by "Phosphorus". The US tech giant previously claimed that these hackers had targeted the Microsoft accounts of 100 attendees to the Munich Security Conference in 2020 and an unspecified number of staffers of a presidential campaign in 2019. The company did not elaborate whose presidential campaign was targeted that year, but a Reuters report suggested it could have been the re-election campaign of then-President Donald Trump. His campaign, however, denied the reports it had been hacked.


    US Charges Iranian Hacker With ‘Illegally Obtaining Access’ to New York Dam
    Norway Claims Iranian Hackers Target Research Top Brass
    UK, US Intel Claim Alleged Russian Hackers 'Hijacked' Iranian Cyber Op to Attack Various Facilities
    US Firm Claims Indicted Iranian Hackers Still Targeting American Universities
    US Intelligence Alleges Iranian Hackers Behind Intimidation Emails Accessed Voter Data
    Iranian, Chinese Hackers Attempted to Break Into Trump, Biden Email Accounts, Google Claims
    Tehran Refutes Microsoft’s Claims That Iranian Hackers Targeted US Election Candidates
    hacker attack, hackers, Iran, US, Israel, cybersecurity
    Community standardsDiscussion