Interesting details of the latest Iranian cyber attack targeting Israeli officials

Today, Tuesday, Hebrew media revealed a large-scale cyber attack by Iranian hackers targeting current and former Israeli officials, including former Foreign Minister Tzipi Livni.
The Israeli information security company Check Point said, “Iranian hackers penetrated the mailbox of a reserve brigade (in the Israeli army), and impersonated him,” according to what was reported by the official “Kan” channel.
It added that the hackers attempted to carry out cyber attacks against high-ranking political, academic and business entities, including former Secretary of State Livni, the former US ambassador to Israel, the head of a highly centralized research institute, a senior academic on Middle East affairs, and the vice president of a major security firm.
For at least half a year, from December 2021 until last week, Iranian hackers corresponded on behalf of the senior general in the reserves, after hacking his email account, with senior officials with the aim of getting them to open various documents.
The hackers’ various correspondences with the parties they attempted to attack included sending documents with an invitation to a conference abroad and articles on Iran’s nuclear program – this required victims to type in their email password.

In one case, the correspondence led a senior manager of a major security company in Israel to send a copy of his passport.
During December, the former Secretary of State received several emails in Hebrew from the same general’s email, including a request to read an article he wrote about security events in 2021.
After several emails urging Livni to open the file using her email password, the former secretary of state, suspicious of the matter, turned to the general, who had no idea what she was talking about.
Livni forwarded the email correspondence to Check Point, through which the company tracked the senders and files and found out how big the move was.
During the mentioned months, the Iranian attackers also managed to get their hands on private email correspondence between the head of a highly centralized research institute in Israel and the former US ambassador to Israel, and used it to establish further correspondence.
In the correspondence, the Iranians impersonated the ambassador using another email, sent the head of the institute files allegedly dealing with Iran’s nuclear program and used the link used in phishing attacks (URLs can be shortened).

It was also found that the attackers set up an infrastructure to obtain the phone numbers of the victims, as part of the process of opening documents.
The method worked as follows: First, after clicking on the document attached to the email or a link in the email, a page will appear asking to enter a user account identification password (a password that will be copied by the attackers).
Then, a request will be sent to the user for further verification in the form of an SMS code that will be sent to the device associated with the email account. It should be noted that the phone number found within the spoofing page was specially adapted for the purpose of the attack.
Against the background of the cyber attack, the Israel Internet Association published a statement saying that in any case of receiving an email, it is recommended to pay attention not only to the name that appears as the person who sent it to us – but to the email address itself and whether that address is known to us as The real address of the sender.