Anatomy of an Iranian hack attack: How an Israeli professor got stung

After saying in a radio interview that she has contacts in Iran, Thamar Eilam Gindin became the subject of phishing attempts

Illustrative image of a hacker, via Shutterstock.
Illustrative image of a hacker, via Shutterstock.

Iran has been accused of being behind an ongoing phishing and hacking operation that targets “high value” individuals throughout the Middle East. So far, over 500 individuals and groups have been hacked in an extensive, if crude, attack that utilizes email phishing techniques, direct hacks, and even telephone calls to gather data on targets, in the hope that they will inadvertently give up valuable login names and passwords.

The purpose of the attack, believes Dr. Thamar Eilam Gindin, an Israeli target whose posting of some of the emails and messages sent by hackers led to their unmasking, is to discover who its targets are communicating with about Iran – and inside Iran.

“In my case, the attacks began just a few days after an interview on Army Radio, where I mentioned that I had been in touch with contacts inside Iran,” Gindin told The Times of Israel. “Apparently they were interested in getting information on those contacts.”

Although it wasn’t the most sophisticated attack, Gindin was tricked into giving up credentials of one her email accounts via a spear-phishing attack. However, Gindin said it was the bumbling of her attackers that warned her off.

“In some of the emails, they were able to send messages from inside servers in institutions that I knew could be trusted. These addresses were not spoofed. It was only because they made awful mistakes in their English, and used a specific style of Persian, that I was able to determine that I was not in touch with intelligent academics, but street thugs from Tehran who are apparently being employed by hackers,” she said.

The story came to light last week when Israeli cyber-security firm ClearSky published details of the attack, which was “clearly conducted by Iranians, and has been going on since 2011,” said ClearSky CEO Boaz Dolev – making this one of the few attacks where the identity of the hackers was clear.

“In general, it is difficult to ‘finger’ who is behind a specific attack, because it is easy for hackers to hide their identity, using fake IP addresses and other markers to throw investigators off the track.”

In this specific case, however, “we were able to trace the command and control servers back to Iranian IP addresses, and there was all sorts of other anecdotal evidence, from the writing style to the language used in some of the phishing messages, to the accents in phone calls made by hackers to fool victims,” said Dolev.

Based on Gindin’s experience, ClearSky was able to flesh out the hackers’ modus operandi, which matched the experience of hundreds of others throughout the Middle East, mostly in Israel and Saudi Arabia. “We’ve checked the details in many of these cases, and they are remarkably similar,” said Dolev. In honor of Gindin’s contribution to the discovery of the hack, ClearSky dubbed the attack “Thamar Reservoir,” said Dolev.

Gindin’s saga began in May, when she was interviewed on Army Radio on her activities as an Iran expert. Gindin is an expert on Iranian linguistics and pre-Islamic Iran, a renowned lecturer and research fellow at the Ezri Center for Iran and Persian Gulf Research in the University of Haifa, and author of the books “The Good, the Bad and the World -a Journey to Pre-Islamic Iran” and “The Book of Esther, Unmasked.”

Apparently, said Gindin, “the Iranians were monitoring the program, having heard promos that ran in advance announcing that I would be interviewed. I suppose it’s only fair, as we monitor their media broadcasts as well.”

Dr. Thamar Eilam Gindin (Courtesy)
Dr. Thamar Eilam Gindin (Courtesy)

The hackers’ first attempt to compromise Gindin’s information came from the office of an institution she works with. An email from an office worker she knew asked her to fill out a form and send it back to the office. Gindin did so, but then received another similar form, which she opened – setting off a piece of malware that managed to infiltrate her computer. “Later I noticed that the message was sent from a different account from the one that the original, legitimate document was sent from – although it was a similar enough address that you might not notice the difference.”

A few days later, Gindin got a phone call in Persian from someone claiming to be from the BBC’s Persian Service, asking her for an interview. “They left a message and were very specific on the details, when I was to call, what questions they would ask, etc.,” she said. She was instructed to download the questions from Google Drive – which required her to submit her password in order to access the document. “That was the only time they got me,” Gindin said.

In retrospect, said Gindin, she should have been wary of that attempt as well; the person who left the message was clearly not a professional media industry worker. “The message itself was in a slang that would not be employed by a BBC representative,” she said.

Two days later, Gindin got an email from an Israeli institution known for its scientific research, asking her to join the institution’s forum on Iranian studies, “which was strange, because this organization does not deal with issues like that,” she said. “The message was in awful English, a real giveaway because the employees of this institution communicate in professional English all the time.”

The message was an invitation to the institution’s “Iran Israel Forum,” with instructions to access a web page to join the forum. “Members of the forums is English because of different members from different countries,” the message said. “Members of forum include Israel and United States statesmen and Iranian fans of Israel.”

This was already too blatant a hacking attempt, but Gindin played along, clicking on the link, and, when asked to submit her email password, submitted a phony one. This proved beyond the shadow of a doubt that the institution had been hacked. “An expert analyzed that page and checked my email in the logs, where the fake password had been recorded – proof that they were collecting passwords in order to get into my account.”

There were other attempts as well – with hackers trying to take over her Facebook page and sending strange messages on Facebook and other social media, apparently in the hope of building Gindin’s trust and perhaps trying to extract information from her later on. They even tried to trick her online contacts into giving up information, possibly in the hope that one of those contacts would have the data they sought – or would be one of Iranian interlocutors.

“The hackers set up two fake Facebook accounts with my name and pictures,” said Gindin. “At least one of them was used to send malware to subscribers from my blog who are also Facebook friends. These friends realized it wasn’t me because of the bad Hebrew and irrelevant content.”

In all, she said, the hackers mounted seven major hack attacks against her.

Most users have come to think of hacking as a mass activity targeting hundreds of thousands or millions of users at a time for a specific class of information, like credit card numbers. For credit card number thieves, the more numbers, the better; if a user gets suspicious and cancels their card, the hackers can just go onto the next one and use that until it gets blocked off. But the Thamar Reservoir hack used well-known techniques in order to get at information held by individuals – and apparently not financial information.

That the hackers so consistently attempted to steal data from Gindin and other victims of the scam indicates that she had information that they very badly wanted.

“The only thing I can think of is that they are looking for contacts I may have in Iran,” she said. “I’m not wealthy, so if they were targeting me for money they are going to be extremely disappointed.”

If the hackers are Iranians – government agents or members of Islamist youth organizations who have been instructed to track down “infidels” and spies – attacking Gindin and others in order to get at the information would have made perfect sense.

Can’t the Iranians just filter that information themselves, and see who Gindin or anyone else is connecting to?

“No,” she said. “There is a lot of Facebook and Twitter activity there today and it all runs on VPN (virtual private networks), in which it is impossible to identify the IP address or location of a user. The vast majority of Iranians use these services to hide their activities from the authorities, so if the government wants to track down people Iranians are communicating with in Israel, they have to try and hack Israelis.”

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed