Advertisement

How alleged Iranian hackers are posing as an Israeli scientist to spy on US medical professionals

Hacking is still central to the high-stakes spying game between Iran, Israel and the U.S.
Weizmann Foundation
Daniel Zajfman (center) attends a gala in Paris in December 2019. Suspected Iranian hackers have impersonated the physicist in a hacking operation, according to new research. (Bertrand Rindoff Petroff/Getty Images for Pasteur-Weizmann Foundation)

Suspected Iranian hackers have impersonated a well-known Israeli physicist as part of a broader campaign to break into the email accounts of some two-dozen medical researchers in Israel and the U.S., email security firm Proofpoint said Wednesday.  

The intrusion attempts — carefully crafted efforts to spy on senior medical professionals in the genetic, neurology and oncology fields — are the handiwork of the Charming Kitten hacking group, Proofpoint said. A 2019 U.S Justice Department indictment linked the group to the Iranian military.

The phishing campaign shows how, more than a decade after the Stuxnet worm’s infiltration of an Iranian nuclear facility, hacking is still central to the high-stakes spying game between Iran, Israel and the U.S. And it is but one of several recent examples, including the targeting of the 2020 U.S. election, of how Iranian hackers are capable of threatening U.S. interests.    

In this case, the suspected Iranian operatives set up a Gmail account in the name of Daniel Zajfman, an accomplished Israeli physicist, according to Proofpoint. The hackers sent a series of spearphishing emails from the Zajfman account to the medical professionals purporting to contain information on Israel’s nuclear program. Once opened, the malicious links can siphon off users’ email credentials.

Advertisement

The goal of the operation could be to acquire medical research or personal health data on intelligence targets of interests to Tehran, the researchers said. It was not clear how successful the hacking was.

Zajfman, who leads a research center near Tel Aviv, did not respond to a request for comment on the research.

He is not the only famous scientist to be caught up in cloak and dagger operations between the two Middle East rivals. As the alleged Iranian hackers were impersonating Zajfman, a team of assassins mowed down prominent Iranian nuclear scientist Mohsen Fakhrizadeh in broad daylight in November. Iran blamed Israel for the assassination. Israeli officials have claimed they don’t know who is responsible for the killing.

The effects of cyber-operations are typically subtler. Charming Kitten does not tend to dump data it obtains, but stores it for possible use in intelligence-gathering down the road, according to analysts.

“They do a lot of [different activity], but what they do with the information, we don’t know in some cases,” said Ohad Zaidenberg, an Israel-based researcher with security firm ClearSky who tracks the group. “We know that they don’t leak the information or sell it for profit. We suspect [the Iranian government] uses the information for espionage purposes.”

Advertisement

Although Charming Kitten is notorious for targeting journalists and Iranian dissidents, the group reportedly tried to break into a drug company developing coronavirus treatments last year. It’s a sign of how intelligence agencies call on hacking groups for new missions in response to world events.

Unlike other Iranian state-linked hacking groups, Charming Kitten’s “credential phishing campaigns typically target a small number of individuals,” said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. In this latest operation, “a large portion of the targets’ email addresses are available on their employers’ websites or biography pages.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts