“High-profile” experts working on Middle Eastern affairs at universities and research organizations in the US, UK, Belgium, France, Israel, and even Gaza have been targeted by hackers allegedly connected to the Iranian government, according to a new report from Microsoft.
The report alleges that a subset of a hacking group they call Mint Sandstorm has targeted experts since November using a phishing scheme – which involves sending targets deceptive links or forms to induce individuals to reveal personal information, such as passwords and credit card numbers.
In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl,” the report explains.
Who are they targeting?
The Iranian hackers are known to target journalists, researchers, professors, or other individuals “with insights or perspective on security and policy issues of interest to Tehran,” the report said.
“These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran. Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum,” the Microsoft report declared Iranian cyberattacks.
Groups linked to the Islamic Republic of Iran and the Islamic Revolutionary Guard Corps (IRGC) have targeted groups they see as hostile in the past – including Israeli individuals and organizations. For instance, a November cyberattack led by Iran and Lebanon-based terror group Hezbollah targeted the Ziv Medical Center in Safed and succeeded at breaking into the hospital’s information systems to access patients’ sensitive, personal details.
In September, an Iranian cyberattack sent fake messages to job search website users in Israel. Pretending to be official messages from the job websites, the hackers sent phishing messages including malicious links that open a browser tab containing code that attempts to turn on the device's camera, as well as a fake login page that records the target's login information.
The targeting of Israelis by Iranian hackers has increased since the October 7th Hamas attacks. A report from Israel-based cyber security company Check Point showed that there had been an 18% rise in cyberattacks in Israel in October following the Hamas massacre on the 7th of October, with 52% of those being directed against government systems.