Iranian hackers believed to be tied to the country’s government have been conducting an espionage campaign since 2021 that targets government and military officials with spear phishing emails.
The campaign is unique in that the account takeovers start with smaller known contacts of the real target and use existing email conversations to work their way into the victim’s confidence.
Iranian hackers use chain of account takeovers to approach VIP targets
The spear phishing campaign is highly targeted, directed at Israeli government and military figures in decision-making positions. The first step appears to be identification of people these targets are in regular contact with, and an account takeover attack that provides access to the emails of the “smaller fish.”
The attackers abuse the existing relationship that these contacts have with the true target by finding existing email conversations and jumping into them, pretending to be the contact. The hackers redirect the conversation to a similar-looking external email account that they create, however, presumably so as not to raise alarms with the original victim.
After back and forth that can span weeks, the attacker eventually tries to pass a malicious document to the VIP target. These are generally disguised with a custom link shortener and make use of a legitimate document validation service to inspire trust in the target. Security researchers have also found some evidence that the Iranian hackers might try to lure the targets out of Israel for a kidnapping attempt should the opportunity present itself.
The account takeover scheme was uncovered by Check Point Research when one of their clients, a former Israeli minister, reported suspicious emails coming from a military official she was in contact with. The hackers made repeated attempts to get the target to access a document that supposedly required her email username and password to access.
The spear phishing attempts have been tied to Iran by the use of a domain name previously seen used in attacks conducted by the country’s state-backed threat groups. The prior campaign tied to that domain name used similar techniques to trick victims into giving up their email credentials for an account takeover. The attackers also show a willingness to steal encrypted files, indicating they have the resources to take months or even years in decrypting them.
Spear phishing campaign seeks Israel government and military intelligence
The spear phishing attempts have been observed since at least late 2021. The hackers seem most interested in getting to the personal documents of high-level Israeli officials, particularly passport scans. The Iranian hacking group in question, APT35, has been active since at least 2013 and is well-known for interfering in the affairs of other countries.
Potential victims are advised to keep a careful eye on the source email addresses of incoming messages, particularly if a contact suddenly revives an email chain that has been dormant for some time. Any attempts to pass documents protected by passwords should also be verified with the source via another means, ideally a phone call.