31 March 2021

Iran-linked threat actor targets medical professionals in the US and Israel with phishing attacks


Iran-linked threat actor targets medical professionals in the US and Israel with phishing attacks

Medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel have been targeted in a recent credential phishing campaign launched by an Iran-linked threat actor tracked by security researchers as TA453, Charming Kitten or Phosphorus.

While the previous attacks by the threat actor focused on dissidents, academics, diplomats, and journalists, this latest campaign, which Proofpoint researchers dubbed ‘BadBlood’ based on the medical focus and continued geopolitical tensions between Iran and Israel, is a deviation from the group’s usual activity.

The BadBlood campaign was first spotted in December last year and involved phishing emails sent from a Gmail account ostensibly belonging to a prominent Israeli physicist. The phishing message used the subject "Nuclear weapons at a glance: Israel" and contained social engineering lures relating to Israeli nuclear capabilities, as well as a link to a malicious attacker-controlled domain.

This link pointed potential victims to a landing site spoofing Microsoft's OneDrive service along with an image of a PDF document logo. Once a victim attempted to view and download the document they were presented with a fake Microsoft login page designed to steal users’ credentials.

“TA453 targeted less than 25 senior professionals at a variety of medical research organizations located in the US and Israel. Proofpoint analysis of the targets’ publicly available research efforts and resumes indicate TA453 targeted individuals with a background in either genetics, oncology, or neurology. These medical professionals appear to be extremely senior personnel at a variety of medical research organizations. Additionally, TA453 targeting Israeli organizations and individuals is consistent with increased geopolitical tensions between Israel and Iran during 2020,” Proofpoint said.

While previous reports indicate that TA453 appears to be working on behalf of the Islamic Revolutionary Guard Corps (IRGC), Iran’s military intelligence service, Proofpoint said that it “cannot independently attribute TA453 to the IRGC”, however, “the tactics and techniques observed in BadBlood continue to mirror those used in historic TA453 campaigns and the overall targeting of TA453 campaigns detected by Proofpoint appear to support IRGC intelligence collection priorities.”

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021