Israel’s Shin Bet internal intelligence agency says it has thwarted a phishing campaign by Iran targeting primarily Israeli civil servants and researchers.
On Sunday, the agency disclosed some information about the LinkedIn-based campaign to infect the victims’ computers with malicious software and gather information.
The Iranians created false profiles posing as real Israeli citizens with whom the targets may have had personal or professional interactions. Then, they initiated conversations on LinkedIn and continued correspondence through email, according to the agency.
During their correspondence, the impostors would send an invitation to a conference or other digital files of interest, such as a study or article. Clicking on these links would then infect the recipient's computer with a malicious file that would grant the Iranian entity comprehensive access to the compromised system, enabling remote takeover and complete exposure of the information contained within.
Israeli-based news channel i24NEWS cited Shin Bet as noting that he hackers originally compiled the necessary information for the LinkedIn profiles from social media networks, allowing them to establish a connection and then engage in correspondence tailored to the target's specific interests.
The campaign is just the latest in a series of similar operations by the regime’s cyber agents against Tehran’s archnemesis Israel. Iran-sponsored cyberspies have recently boosted their techniques, using fake personas of real people to add credibility to the phishing emails designed to deliver malware.
Mehdi Saremifar, a Canada-based sci-tech journalist, told Iran International on Sunday that the cyber-attacks by the Iranian regime’s hackers during the past several years indicate that several organizations or institutions in Iran are coordinating their efforts for such campaigns. He says the country’s intelligence ministry and the cyber army of the Revolutionary Guards are among the units involved in the regime’s warfare in cyberspace.
According to Saremifar, Iran’s attacks are mainly aimed at phishing and getting ransom as well as some for military intel, a case of which led to a drone attack against an oil tanker associated with an Israeli billionaire off the coast of Oman in November 2022.
According to a 2022 report by Security firm Proofpoint, Iran-aligned agents deployed a social engineering impersonation technique, informally called Multi-Persona Impersonation, in mid-2022 in which the threat actor uses at least two stolen or hijacked personas on a single email thread to convince targets of the legitimacy of the campaign. The personas used are real people that the target knows and trusts.
Last August, Meta, formerly the Facebook company, removed at least two Iranian cyberespionage groups that were targeting academics, activists, journalists and other victims. Also in 2022, Iranian hackers -- named Sharp Boys -- targeted several travel booking sites of an Israeli company and stolen personal information of more than 300,000 Israelis.
Earlier in the year, researchers at CheckPoint's Incident Response Team said an Iran-linked group calling itself Moneybird has deployed a ransomware against Israeli organizations.