The Israel National Cyber Directorate (INCD) has recently identified more and more desperate attempts by Iran to recruit Israelis and infiltrate organizations. Tempting and personalized job offers from Rafael landing on LinkedIn with suspicious links, emails from the INCD urging to download a security update, offers to receive a significant amount of money for filling out personal details in a link, and invitations to researchers for academic conferences with links that harm the computer – these and other attempts by Iranian hacker groups have recently been identified by the National Cyber Directorate targeting Israelis and organizations, indicating a trend.
“Iranian attempts have become more sophisticated, more targeted, and really tailored to the interests of the target”, says Tom Alexandrovich, Head of the Technological Defense Division at the INCD. “The phishing messages are based on information gathering and in-depth research and include a malicious file or a link to enter personal details. However, with a little vigilance, it is still possible to identify the signs.”
Since the beginning of the conflict, there has been a sharp increase in phishing campaigns targeting entities in Israel. According to data from INCD, at least 15 different campaigns originating from various Iranian attack groups known by nicknames such as “Black Shadow” and “Muddy Water” have been identified. Each campaign sends thousands of targeted emails to different types of companies and organizations in the private and public sectors. The increase indicates that the Iranians are looking for a foothold in organizations, and phishing messages are a common method to start a cyber attack if the target actually opens the door to the attacker. After the initial infection, the attackers strive to reach the depths of the organization and similar entities using the information and tools stolen or implanted during the initial infection.
Behind the messages identified in recent months are hacker groups working for the Iranian regime, some of which are even operated on an “outsourcing” basis through private companies in Tehran. The groups operate for the purposes of causing damage, espionage, information gathering, and influence.
For example, in recent months, academics and researchers in Middle Eastern studies have received seemingly routine messages from researchers abroad asking about the Iranian arena. The messages, which appeared credible and focused on the researcher’s fields of interest, invited them to Zoom meetings and conferences, even attaching a list of legitimate participants to increase credibility. After the attempts were exposed, an investigation of the messages revealed that the Zoom link sent to the researchers actually contained malicious software.
Another interesting example recently identified is targeted approaches on LinkedIn that seemingly came from recruiters at “Rafael” with a link to submit a resume. The link led to the download of a file and a request to fill in a password. The file was then activated and downloaded two more files that grant the attacker access to the workstation and the organizational network.
“The content of the messages is often tailored based on information gathered from various sources on the network, creating a profile of the organization and its employees. The phrasing in Hebrew is improving, and today it is possible to send the messages from a real email box of legitimate organizations, one of the employees, or impersonate one of the service providers in the supply chain,” explains Alexandrovich.
The Directorate takes various actions to address the issue, including blocking links, guiding entities at high risk, stopping the infection chain, issuing warnings, and sharing information about the attack.
