A significant Jewish religious figure was the focus of a phishing campaign by hackers believed to be associated with Iran’s military, as indicated by researchers on Tuesday.
During July, the hackers reportedly utilized various email addresses posing as the research director for the Institute for the Study of War (ISW), a think tank based in the United States.
Under the guise of this email address, the hackers extended an invitation to the unnamed victim to participate in a podcast hosted by ISW. Following an exchange of emails, the hackers shared a GoogleDrive URL leading to a ZIP archive named “Podcast Plan-2024.zip,” which contained a malware called BlackSmith designed to facilitate intelligence gathering and exfiltration.
As outlined in a report presented by Proofpoint on Tuesday, the campaign could not be directly linked to individual members of the Islamic Revolutionary Guard Corps (IRGC) but was conducted by actors who have been monitored by others for years.
The researchers uncovered at least two connections between the campaign and a group that has previously been associated with the IRGC, known by several names such as APT42, Mint Sandstorm, Charming Kitten, and TA453.
According to Google’s recent accusation, APT42 was reportedly targeting prominent individuals in the United States and Israel last week, including individuals linked to major U.S. presidential campaigns.
One of the URL shorteners used in the campaign monitored by Proofpoint was referenced by Google Threat Intelligence Group in May 2024 as associated with APT42. Proofpoint highlighted the use of the BlackSmith intelligence collection toolkit as a characteristic of Iran-backed attacks.
The researchers also noted that the group’s targets aligned with the expressed priorities of the IRGC Intelligence Organization (IRGC-IO).
Joshua Miller, a staff APT threat researcher at Proofpoint, mentioned that the actors tracked as TA453 presented a consistent pattern of phishing campaigns reflective of “IRGC intelligence priorities.”
“This deployment of malware in an attempt to target a prominent Jewish figure likely aligns with ongoing Iranian cyber activities against Israeli concerns,” he remarked. “TA453 has persistently posed a threat to politicians, human rights activists, dissenters, and scholars.”
IRGC directives have resulted in targeting a range of diplomatic and political entities, from embassies in Tehran to U.S. political campaigns, according to the report.
While the enticement of a podcast interview was a novel strategy, Proofpoint pointed out that the group has employed various social engineering tactics to persuade targets to access or open malicious content.
The incident entailed multiple emails exchanged between the hackers and the victim before the introduction of the malware.
Proofpoint reported their initial observation of Iranian actors impersonating the ISW in phishing campaigns beginning in February after the registration of a domain in January. The hackers dispatched the false podcast invitation to several email addresses under the control of the religious figure — a distinctive trait of nation-state hackers.
Prior to the 2024 U.S. presidential election, there has been a noticeable surge in malicious cyber operations believed to originate from Iran, as highlighted by cybersecurity firms and governments.
Alongside Google’s recent disclosure, Microsoft and the former President Donald Trump’s campaign have accused Iran of cyber intrusions. Subsequently, the FBI announced an investigation into Iran-backed cyber assaults on both presidential campaigns.
Last Friday, OpenAI, an artificial intelligence behemoth, disclosed the takedown of a cluster of ChatGPT accounts used to generate content for a hidden Iranian influence scheme.
The operation leveraged ChatGPT to craft content focused on the Gaza conflict, Israel’s presence at the Olympics, the U.S. presidential election, politics in Venezuela, and the Scottish independence movement.
Recorded Future
Intelligence Cloud.
About Author
