Iranian cyberspies target professionals at medical research organizations in the US, Israel | The Record by Recorded Future

Iranian cyberspies target professionals at medical research organizations in the US, Israel
By Catalin Cimpanu
. March 31, 2021
Hackers linked to Iran have targeted 25 senior professionals at various medical research organizations located in the US and Israel as part of a weeks-long phishing campaign, email security firm Proofpoint revealed today.

The attacks are part of a long series of attacks that have repeatedly and increasingly targeted medical and pharmaceutical professionals since the onset of the COVID-19 pandemic.

Iranian cyberspies are one of the many groups engaging in such attacks, which also include threat actors from China, Russia, North Korea, and Vietnam.

The latest series of attacks, detailed in a Proofpoint report shared with The Record ahead of publication, include phishing campaigns that lured medical experts on phishing sites posing as OneDrive file-sharing pages, where the attackers would try to collect the targets’ Microsoft account credentials.

Proofpoint said the attacks “targeted individuals with a background in either genetics, oncology, or neurology.”

While the security firm didn’t reveal the victim’s names or employers, Proofpoint security researcher Joshua Miller said the “medical professionals appear to be extremely senior personnel at a variety of medical research organizations.”

“Medical research is an increasingly attractive threat actor target especially as the pandemic continues,” Sherrod DeGrippo, Senior Director, Threat Detection and Response at Proofpoint, told The Record in an email.

Attacks tied to one of Iran’s biggest hacking groups
But while cyberattacks are often hard to attribute to a specific group, Proofpoint said it was able to link the recent campaign, which it’s calling internally as BadBlood, to a group the company tracks as TA453, but which is more widely known in the cyber-security community under other names such as Phosphorus (Microsoft designation), APT35 (FireEye numbering), and Charming Kitten (ClearSky codename).

Based on previous reporting, this group appears to be one of Iran’s primary cyber-espionage outfit, believed to be operating under the supervision of the Islamic Revolutionary Guard Corps (IRGC), Iran’s military intelligence service, known to use a network of contractors to carry out surveillance, cyber-espionage, and even cybercrime operations.

According to previous reports, past TA453 operations tend to usually target dissidents, academics, diplomats, and journalists, living in both Iran and abroad.

But while Proofpoint said it couldn’t “conclusively determine the motivation of actors conducting these [recent] campaigns,” the same group has been observed targeting medical, pharmaceutical, and COVID-19-related targets before, since at least May 2020, so these attacks don’t appear to be a deviation from TA453’s previous 2020 targeting goals.

In addition, Miller also reported that Proofpoint also managed to track down TA453’s server infrastructure and adjacent domains.

This allowed the company to track previous TA453 operations, dating as far as December 2020. Analysis of this infrastructure revealed that TA453 also mounted attacks against their classical targets.

Miller said these attacks relied on the use of lure documents with national security themes, such as Congressional Research Reports, think tank publications, and other policy-minded documents, suggesting the group might have previously gone after natsec professionals, although there is no solid evidence to officially confirm the attacks beyond the observed infrastructure.

“Overall, TA453’s credential phishing campaigns typically target a small number of individuals,” DeGrippo told The Record.

The Proofpoint exec also said they sent notifications to all targeted parties within the company’s userbase.