Medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel have been targeted in a recent credential phishing campaign launched by an Iran-linked threat actor tracked by security researchers as TA453, Charming Kitten or Phosphorus.
While the previous attacks by the threat actor focused on dissidents, academics, diplomats, and journalists, this latest campaign, which Proofpoint researchers dubbed ‘BadBlood’ based on the medical focus and continued geopolitical tensions between Iran and Israel, is a deviation from the group’s usual activity.
The BadBlood campaign was first spotted in December last year and involved phishing emails sent from a Gmail account ostensibly belonging to a prominent Israeli physicist. The phishing message used the subject "Nuclear weapons at a glance: Israel" and contained social engineering lures relating to Israeli nuclear capabilities, as well as a link to a malicious attacker-controlled domain.
This link pointed potential victims to a landing site spoofing Microsoft's OneDrive service along with an image of a PDF document logo. Once a victim attempted to view and download the document they were presented with a fake Microsoft login page designed to steal users’ credentials.
“TA453 targeted less than 25 senior professionals at a variety of medical research organizations located in the US and Israel. Proofpoint analysis of the targets’ publicly available research efforts and resumes indicate TA453 targeted individuals with a background in either genetics, oncology, or neurology. These medical professionals appear to be extremely senior personnel at a variety of medical research organizations. Additionally, TA453 targeting Israeli organizations and individuals is consistent with increased geopolitical tensions between Israel and Iran during 2020,” Proofpoint said.
While previous reports indicate that TA453 appears to be working on behalf of the Islamic Revolutionary Guard Corps (IRGC), Iran’s military intelligence service, Proofpoint said that it “cannot independently attribute TA453 to the IRGC”, however, “the tactics and techniques observed in BadBlood continue to mirror those used in historic TA453 campaigns and the overall targeting of TA453 campaigns detected by Proofpoint appear to support IRGC intelligence collection priorities.”