Iranian phishing attack said to target top Israeli officials, former US ambassador

Cyber firm Check Point says ex-foreign minister Tzipi Livni, former IDF major general among targets; attackers tried, and sometimes managed, to gain control of email accounts

Michael Bachner is a news editor at The Times of Israel

Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, on September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)
Illustrative: A cybersecurity expert stands in front of a map of Iran as he speaks to journalists about the techniques of Iranian hacking, on September 20, 2017, in Dubai, United Arab Emirates. (AP/Kamran Jebreili)

Iranian hackers recently led a spear-phishing operation against high-ranking Israeli and Israel-linked targets, including former foreign minister Tzipi Livni and a former US ambassador to the Jewish state, an Israeli cybersecurity firm said Tuesday.

In a statement, Check Point Research described the attack, saying it employed a wide array of fake email accounts to impersonate trusted parties, take over the targets’ accounts, steal information and use it to attack new targets. In many cases, the email correspondence or documents linked to by the attackers referenced security issues related to Iran and Israel.

Check Point said its analysis led it to believe the attack was perpetrated by an Iranian group called Phosphorus, which has a long history of conducting high-profile cyber operations aligned with Tehran’s interests as well as targeting Israeli officials.

The targets weren’t named by Check Point to protect their privacy, with the exception of Livni, who agreed to let her name be published. The list of targets also included a well-known former major general in the Israel Defense Forces who served in a “highly sensitive position,” the current chairperson of one of Israel’s leading security think tanks, the former chairperson of a well-known Middle East research center, and a senior executive in the Israeli defense industry.

According to the statement, the hackers “performed an account takeover of some victims’ inboxes and then hijacked existing email conversations to start attacks from an already existing email conversation between a target and a trusted party and continue that conversation in that guise.”

They created a fake URL shortener website to disguise the phishing links, calling it Litby[.]us — apparently trying to resemble the popular Bitly URL shortening service. They also utilized a legitimate identity verification service,, for the theft of identity documents.

“The visible purpose of this operation appears to be… gaining access to victims’ inboxes, their personally identifiable information and their identity documents,” Check Point said.

Opposition leader Tzipi Livni attends a faction meeting in the Knesset on November 19, 2018. (Miriam Alster/FLASH90)

Livni, a former diplomat and veteran politician who served as foreign minister, deputy prime minister and justice minister, was contacted via email by someone impersonating the former IDF major general, who was using the latter’s authentic email account after gaining control of the account.

The email contained a link to a file that the attacker asked Livni to open. “When she delayed doing so, the attacker approached her several times asking her to open the file using her email password,” piquing her suspicions, according to Check Point.

Emails from the genuine account of a former IDF major general sent to former foreign minister Tzipi Livni, as part of an alleged Iranian spear phishing attack. (Check Point Research/courtesy)

“When she met the former major general and asked him about the email, it was confirmed that he never sent such an email to her,” the statement said. “She then approached Check Point to investigate this suspicious event.”

In another case, the attackers impersonated an American diplomat who previously served as the US ambassador to Israel, and targeted the security think tank chairperson. They initiated email correspondence that followed up on a genuine copy-pasted thread between the two officials from two weeks earlier, that was stolen from the inbox of one of them.

An email exchange between an alleged Iranian hacker impersonating a former US ambassador to Israel, and the chairperson of one of Israel’s leading think tanks. (Check Point Research/courtesy)

Check Point said the campaign had several characteristics to indicate it was run by an Iran-backed entity, including a fake Yahoo login page copied from an Iranian IP address, and a commented-out section of code that indicates it may have also been used in a previous attack by Phosphorus.

A fake Yahoo login page used in an alleged Iranian spear phishing attack. (Check Point Research/courtesy)

The news came two days after Hebrew media reported that Israeli and Turkish security agencies had last month uncovered an Iranian plot to kidnap Israeli tourists in Turkey and foiled it in the nick of time. Israel has since issued a top-level travel warning to Istanbul.

Last month, the Shin Bet security agency said it had uncovered and foiled an attempt by Iranian operatives to lure Israeli academics, businesspeople and former defense officials abroad, in an effort to kidnap or otherwise harm them.

Also in May, the Shin Bet said it uncovered an Iranian operation that tried to recruit Israeli civilians to collect information on targets in Israel, using a fake social media profile.

The Shin Bet has warned that Iranian intelligence is constantly looking to recruit Israelis through the internet in order to collect information about the country.

Last year, an Israeli man was nearly tricked by an Iranian operative into traveling to the United Arab Emirates, but called off his trip after hearing of Iranian efforts to kidnap or otherwise harm Israeli citizens.

In 2020, the Shin Bet arrested another Israeli citizen suspected of spying for Iran.

Most Popular
read more: