The Azadi Tower in Tehran, Iran. (Christiaan Triebert, CC BY 2.0 https://creativecommons.org/licenses/by/2.0, via Wikimedia Commons)
In late 2020, a well-known hacker group believed to be sponsored by the Iranian government started a credential harvesting campaign targeting United States and Israeli medical personnel, according to new research from Proofpoint.
Researchers attribute the campaign, which it has dubbed “BadBlood,” to Charming Kitten, also known as Phosphorous or, in Proofpoint’s parlance, TA453.
Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, noted that the choice of targets is an interesting feature of the campaign.
“TA453 typically concentrates on targeting dissidents, academics, diplomats, and journalists. BadBlood shifted targeting to medical research (genetics, oncology, and neurology) and possibly patient-related information,” she told SC Media via email.
Proofpoint has no conclusive sense of what the motivation was for the campaign.
“As collaboration for medical research is often conducted informally over email,” said DeGrippo, “this campaign may demonstrate that a subset of TA453 operators have an intelligence requirement to collect specific medical information related to genetic, oncology, or neurology research. Alternatively, this campaign may demonstrate an interest in the patient information of the targeted medical personnel or an aim to use the recipients’ accounts in further phishing campaigns.”
BadBlood leveraged phishing lures related to Israeli nuclear weapon capabilities sent from a fake Gmail account purporting to belong to Daniel Zajfman, an Israeli physicist and president of the Weizmann Institute of Science. According to DeGrippo, it is common for TA453 to use political lures, including ones about nuclear proliferation, even when targeting unrelated sectors. The lure emails linked to a spoofed Microsoft OneDrive page, which then collected login information.
Proofpoint linked the campaign to TA453 through the use of consistent infrastructure and similar lures. The vendor does not independently attribute the group to Iran, though the report notes that the United States and several industry groups, including Microsoft, have made the connection in the past.
“TA453 routinely attempts to obtain the email credentials of individuals that may possess information aligned with the [Islamic Revolutionary Guard’s] collection priorities,” said DeGrippo.
According to the report, the BadBlood name was chosen “based on the medical focus and continued geopolitical tensions between Iran and Israel.”