‘Iran spying on Israel, Saudi Arabia with major cyberattacks’

The Israeli ClearSky cybersecurity company said it has discovered an ongoing wave of cyber attacks originating from Iran on targets in Israel and the Middle East. The goal is “espionage or other nation-state interests,” the firm said.

The hackers have used techniques such as targeted phishing — in which hackers gather user identification data using false web pages that look like real and reputable ones — to hack into 40 targets in Israel and 500 worldwide. In Israel the targets have included retired generals, employees of security consulting firms and researchers in academia.

Some 44 percent of those targeted are in Saudi Arabia, followed by Israel (14%) and Yemen (11%).

Company officials said that the targets outside Israel included the finance minister of a Middle Eastern country, Qatar’s embassy in Britain, journalists and human rights activists, according to Israel Radio.

“The campaign includes several different attacks with the aim of taking over the target’s computer or gain access to their email account. We estimate that this access is used for espionage or other nation-state interests,” ClearSky said.

In the attacks, which ClearSky officials said dated from at least July 2014, but possibly as far back as 2011, hackers have sent malware as email attachments and used social-engineering techniques to hack into telephone lines, email accounts and Facebook.

ClearSky officials said that the current cyber attack is the toughest one they have encountered in terms of duration and persistence.

“The targets come, mostly, from the following fields: Both Academic researchers and practitioners in the fields of counter-terror, diplomacy, international relations, Iran and Middle East, and other fields, such as Physics; Security and defence; Journalists and Human rights activists,” the report said.

The authors said “several characteristics of the attacks have led us to the conclusion that an Iranian threat actor is the likely culprit.” They said they assume, but do not have direct evidence, that the hacking campaign is either being supported by the Iranian regime or performed by the regime itself: “The context of the attacks and cover stories all revolve around Iran,” the report noted. “The attackers speak and write in native Iranian Persian and make mistakes characteristic of Persian speakers. In one of the hacked accounts, when retrieved, the interface language had been changed to Persian.”

Furthermore, the targets and victims match the interests of Iran. Moreover, rather than stealing money or performing high key “cyber terror attacks… the attackers only steal information and use the access to computers for further attacks – indicating espionage, IP theft , etc.”

The firm detailed the findings in a new report entitled Thamar Reservoir after Dr. Thamar E. Gindin, an expert on Iranian linguistics and pre-Islamic Iran, who is also a lecturer and research fellow at the Ezri Center for Iran and Persian Gulf Research in the University of Haifa. Dr. Gindin, who was one of the targets of the cyber attack, is currently assisting with ClearSky’s investigation.

The report comes days after three European hotels that hosted talks between Iran and the world powers over limiting Iran’s nuclear program were reported to have been targeted by the Duqu virus — spyware believed to be linked to Israel.

The Duqu virus reportedly is related to Stuxnet, the computer worm that set back Iran’s nuclear program by several months or years by affecting some of Iran’s computer systems and centrifuges used to enrich uranium after it was released in 2010. The New York Times reported that Stuxnet was a joint project of Israel and the United States.

In addition to the three hotels that were hacked, the virus was found in computers at a site used to commemorate the 70th anniversary of the liberation of the Nazi death camp at Auschwitz, which was attended by several world leaders. Israeli officials declined to comment on the report. Israel has denied spying on its allies.

David Shamah and JTA contributed to this report.