Connect with us

Hi, what are you looking for?



Iranian Hackers Target Medical Personnel in US, Israel

Deviating from their typical activity, an Iranian threat actor known as TA453 has mounted a phishing campaign targeting senior medical professionals in the United States and Israel, cybersecurity firm Proofpoint reports.

Deviating from their typical activity, an Iranian threat actor known as TA453 has mounted a phishing campaign targeting senior medical professionals in the United States and Israel, cybersecurity firm Proofpoint reports.

Also referred to as Charming Kitten, Phosphorus, APT35, Ajax Security Team, ITG18, NewsBeef, and Newscaster, the group has been active since at least 2011, mainly targeting activists, journalists, and other entities in the Middle East, the U.K., and the U.S.

The new campaign, which Proofpoint named BadBlood due to its focus on medical personnel, targeted individuals specialized in genetic, neurology, and oncology research, in line with a broader trend in which threat actors are targeting medical research.

As part of the campaign, in December 2020, TA453 employed a Gmail account posing as a prominent Israeli physicist to send malicious emails containing a link to a fake Microsoft login page, in an attempt to harvest Outlook credentials. Once the victim would enter their credentials, a benign OneDrive document was displayed.

Up to 25 senior professionals working with various research organizations in the US and Israel were targeted in these attacks, but the targeting of Israelis might also be the result of increased geopolitical tensions in the region, Proofpoint notes.

The motivation behind the campaign is not yet clear, but it’s likely that TA453 attempted to collect medical information related to genetic, oncology, and neurology research. It is also possible that the adversary was interested in patient information or in leveraging the targeted accounts in future phishing campaigns.

“While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453,” Proofpoint says.

Advertisement. Scroll to continue reading.

During their investigation, the company’s researchers identified a multitude of artefacts that made attribution possible, including tactics, domains, infrastructure components, and lure documents, and discovered that the phishing campaign was conducted simultaneously with attacks on traditional TA453 targets.

“While targeting medical experts in genetics, neurology and oncology may not be a lasting shift in TA453 targeting, it does indicate at least a temporary change in TA453 collection priorities. BadBlood is aligned with an escalating trend globally of medical research being increasingly targeted by espionage motivated focused threat actors,” Proofpoint concludes.

Related: Microsoft Says Iranian Hackers Targeted Attendees of Major Global Policy Conferences

Related: Google Says Iran-Linked Hackers Targeted WHO

Related: Iranian Hackers Target Academic Researcher via WhatsApp, LinkedIn

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.