A prominent Jewish religious figure was targeted in a phishing campaign believed to have ties to Iran’s military, according to cybersecurity researchers. The attack, which took place in July, involved multiple email addresses that impersonated the research director of the Institute for the Study of War (ISW), a U.S.-based think tank.
The attackers, using the spoofed email address, invited the intended victim to participate in a podcast hosted by ISW. After an exchange of emails, the hackers sent a GoogleDrive link containing a ZIP file named “Podcast Plan-2024.zip.” Inside the archive was a piece of malware called BlackSmith, designed to facilitate intelligence gathering and data exfiltration.
Proofpoint, a cybersecurity firm that released a report on the incident, noted that while they could not directly link the campaign to individual members of the Islamic Revolutionary Guard Corps (IRGC), the attack was carried out by a group that has been tracked for years by other experts. This group, known by various names including APT42, Mint Sandstorm, Charming Kitten, and TA453, has a history of operations aligned with Iranian interests.
Just last week, Google accused APT42 of targeting high-profile individuals in both the U.S. and Israel, including those associated with major U.S. presidential campaigns. One of the URL shorteners used in this latest campaign was previously identified by Google’s Threat Intelligence Group as being tied to APT42.
Proofpoint identified the use of the BlackSmith toolkit as a signature of Iran-backed cyber operations. Additionally, the group’s activities appeared to align with the priorities of the IRGC Intelligence Organization (IRGC-IO).
Joshua Miller, an APT threat researcher at Proofpoint, commented on the group’s consistent pattern of phishing campaigns that reflect “IRGC intelligence priorities.” He noted that the attempted malware deployment against a Jewish figure likely supports ongoing Iranian cyber efforts targeting Israeli interests. Miller emphasized that TA453 has persistently targeted politicians, human rights defenders, dissidents, and academics.
Proofpoint’s report also highlighted that this phishing campaign is part of a broader Iranian effort to target diplomatic and political entities, including embassies in Tehran and U.S. political campaigns. While using a podcast interview as a lure was a novel approach, the group has employed various social engineering techniques in the past to trick targets into downloading or opening malicious content.
The incident involved a series of emails between the hackers and the victim before the malware was introduced. Proofpoint noted that they first observed Iranian actors spoofing ISW in phishing campaigns earlier this year, after they registered a domain in January. The fake podcast invitation was sent to multiple email addresses controlled by the religious figure—a tactic commonly used by nation-state hackers.
With the 2024 U.S. presidential election approaching, cybersecurity firms and governments have reported a significant uptick in malicious cyber activity originating from Iran. In addition to last week’s report from Google, both Microsoft and the campaign of former President Donald Trump have accused Iran of hacking attempts. The FBI has since confirmed that it is investigating Iran-backed cyberattacks on both presidential campaigns.
In a related development, OpenAI announced on Friday that it had dismantled a cluster of ChatGPT accounts involved in a covert Iranian influence operation. This operation used ChatGPT to generate content related to the conflict in Gaza, Israel’s participation in the Olympic Games, the U.S. presidential election, politics in Venezuela, and Scottish independence.
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
