The hacker group TA453, also known as "Charming Kitten" and "Phosphorus", targeted 25 "senior professionals" specialising in genetic, neurology, and oncology research based in Israel and the US in 2020, cybersecurity firm Proofpoint has said in a report. The company could not say what the hackers were planning to do with the data obtained in the course of the cybercampaign dubbed BadBlood, but noted that "Phosphorus" used credentials harvested in earlier attacks to extract emails and use compromised accounts in new cyber operations.
Proofpoint cited outside reports linking "Phosphorus" to the Iranian government and its Islamic Revolutionary Guard Corps (IRGC), but stressed it could not "independently attribute TA453 to the IRGC". The cybersecurity company also noted that it could not "conclusively determine the motivation" of the hackers involved in the BadBlood campaign.
Proofpoint said the techniques used to target the American and Israeli medical researchers in the 2020 attack were consistent with previous tactics used by "Phosphorus", but the group had never before conducted operations against such individuals. The cybersecurity company said TA453 had historically targeted "[Iranian] dissidents, academics, diplomats, and journalists", but suggested the BadBlood campaign could have been "a specific short-term intelligence collection requirement". Proofpoint added that a cybercampaign targeting Israeli individuals would also be "consistent" with geopolitical tensions between Israel and Iran, which intensified in 2020.
Classic Phishing Attack
During the BadBlood campaign, "Phosphorus" used a phishing attack to steal the credentials of the aforementioned medical professionals' Microsoft accounts, Proofpoint said. According to the cyberwatchdog, the hackers sent emails to their victims from an account masquerading as a prominent Israeli physicist and containing an invitation to read a report on the subject "Nuclear weapons at a glance: Israel".
Proofpoint said the email contained a link that led to a fake page for Microsoft's cloud service OneDrive, which requested the user to enter their credentials thus allowing the hackers to obtain them without the users' knowledge – a classic approach in phishing attacks. The cybersecurity firm said the fake OneDrive page was not equipped with a means to bypass two-step authentication.
This is not the first time Microsoft has allegedly been targeted by "Phosphorus". The US tech giant previously claimed that these hackers had targeted the Microsoft accounts of 100 attendees to the Munich Security Conference in 2020 and an unspecified number of staffers of a presidential campaign in 2019. The company did not elaborate whose presidential campaign was targeted that year, but a Reuters report suggested it could have been the re-election campaign of then-President Donald Trump. His campaign, however, denied the reports it had been hacked.