Overview of TIR-20210411

This report is about a well-known threat targeting the medical research community in both the United States and Israel. The threat actor is based out of Iran with ties to the Iranian military. The campaign involves phishing notable targets with the promise of viewing an exclusive report.

Tactics, Techniques, and Procedures

The campaign is initiated over email with the threat actor posing as a prominent Israeli physicist. The email is about a report on Nuclear weapons being developed by Israel with a link being hosted on a fake Microsoft OneDrive landing page. The landing page is designed to look legitimate and is completely controlled by the attacker. When visiting the landing page, it shows a pdf document name and a typical logo with an offer to download the file. Clicking the download button redirects the user to a login page hosted on the same attacker-controlled domain asking for the user’s Microsoft account credentials. Once the credentials are entered successfully into the login page they get harvested by the bad actor. The user gets redirected to the report on Israel’s nuclear weapons program hosted on the legitimate Microsoft OneDrive site.

The threat actor has spun up other websites hosting similar targeted material related to topics on national security. These other domains currently have not been attributed to phishing campaigns of their own. Phishing campaigns from this threat actor with national security themes have been dubbed by the cybersecurity community as Bad Blood.

Business Unit Impact

  • May lead to the loss of user credentials by a sophisticated nation-state-level threat actor.
  • May result in the loss of sensitive medical data involving patient information such as trial studies, lab results, information on health conditions, and more.

Our Recommendations

It is highly encouraged that you provide user training on how to spot a phishing email and landing page. Teach users to pay attention to the address bar in their web browser. If a user is affected by this campaign, reset their password and review the account activity for any recent suspicious activity.


Supporting Documentation

MITRE Mapping(s)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.