Suspected Iranian hackers have impersonated a well-known Israeli physicist as part of a broader campaign to break into the email accounts of some two-dozen medical researchers in Israel and the U.S., email security firm Proofpoint said Wednesday.
The intrusion attempts — carefully crafted efforts to spy on senior medical professionals in the genetic, neurology and oncology fields — are the handiwork of the Charming Kitten hacking group, Proofpoint said. A 2019 U.S Justice Department indictment linked the group to the Iranian military.
The phishing campaign shows how, more than a decade after the Stuxnet worm’s infiltration of an Iranian nuclear facility, hacking is still central to the high-stakes spying game between Iran, Israel and the U.S. And it is but one of several recent examples, including the targeting of the 2020 U.S. election, of how Iranian hackers are capable of threatening U.S. interests.
In this case, the suspected Iranian operatives set up a Gmail account in the name of Daniel Zajfman, an accomplished Israeli physicist, according to Proofpoint. The hackers sent a series of spearphishing emails from the Zajfman account to the medical professionals purporting to contain information on Israel’s nuclear program. Once opened, the malicious links can siphon off users’ email credentials.
The goal of the operation could be to acquire medical research or personal health data on intelligence targets of interests to Tehran, the researchers said. It was not clear how successful the hacking was.
Zajfman, who leads a research center near Tel Aviv, did not respond to a request for comment on the research.
He is not the only famous scientist to be caught up in cloak and dagger operations between the two Middle East rivals. As the alleged Iranian hackers were impersonating Zajfman, a team of assassins mowed down prominent Iranian nuclear scientist Mohsen Fakhrizadeh in broad daylight in November. Iran blamed Israel for the assassination. Israeli officials have claimed they don’t know who is responsible for the killing.
The effects of cyber-operations are typically subtler. Charming Kitten does not tend to dump data it obtains, but stores it for possible use in intelligence-gathering down the road, according to analysts.
“They do a lot of [different activity], but what they do with the information, we don’t know in some cases,” said Ohad Zaidenberg, an Israel-based researcher with security firm ClearSky who tracks the group. “We know that they don’t leak the information or sell it for profit. We suspect [the Iranian government] uses the information for espionage purposes.”
Although Charming Kitten is notorious for targeting journalists and Iranian dissidents, the group reportedly tried to break into a drug company developing coronavirus treatments last year. It’s a sign of how intelligence agencies call on hacking groups for new missions in response to world events.
Unlike other Iranian state-linked hacking groups, Charming Kitten’s “credential phishing campaigns typically target a small number of individuals,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. In this latest operation, “a large portion of the targets’ email addresses are available on their employers’ websites or biography pages.”