Iran-backed cyberwar group Phosphorus targets US, Israel and corporations


Suspected Iranian hackers targeted the emails of senior Israeli and American officials and executives this month. According to the Israeli cybersecurity company Check Point, the personal email accounts of these people have been the subject of various phishing attacks linked to security problems affecting Iran and Israel.

This attack was reported just days after US FBI Director Christopher Wray detailed how hackers sponsored by the Islamic Republic of Iran tried to carry out a “despicable” cyberattack targeting Boston Children’s Hospital last year during a conference.

Prioritizing state-sponsored cyber warfare

In recent years, Iran has prioritized building up its offensive cyber warfare capabilities to target its adversaries. Russia and China also have sophisticated cyber skills. While the United States is widely regarded as the most “cyber-capable” nation, the world’s reliance on digital infrastructure and improving our adversaries abilities have increased the frequency and scale of attacks.

Verification of phosphorus hackers based in Iran

Israeli company Check Point believes that the recent cyberattack targeting US officials, Israeli officials and executives was carried out by an Iranian group called Phosphorus. The hack came from an Iranian IP address and a commented out section of code suggests that the Phosphorus group is involved, according to The Times of Israel.

The Iranian cybergroup has gate several other notable attacks in the years since its inception. In 2020, Microsoft reported that the Iran-linked Phosphorus group was targeting an anonymous US presidential campaign that Reuters later named to be the Trump campaign. Microsoft reported that the group targeted the personal accounts of Trump campaign staffers and took steps to take control of the dozens of websites Phosphorus used to carry out its hacks.

In its latest hacking operation, the group target a handful of individuals, including Israel’s former foreign minister, Tzipi Livni, a former US ambassador to Israel and a well-known former major general in the Israel Defense Forces (IDF). According to a statement released by Check Point, the Iranian group “carried out a takeover of the inboxes of some victims, then hijacked existing email conversations to launch attacks from an already existing email conversation. between a target and a relying party and continue that conversation in that guise.

Israel and the United States are on high alert for the influx of Iran-based hacking operations. Last October, Microsoft released evidence identifying a group of Iranian hackers who were targeting American and Israeli companies. Report says over 250 Office 365 users were targeted by widespread password spraying published by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (SDU).

A few months before Microsoft’s detailed announcement, the FBI foiled an attack on a US hospital, which was recently exposed as Boston Children’s Hospital. FBI Director Wray affirmed that the United States “cannot abandon China, Iran, or the criminal syndicates as we focus on Russia.” While the Kremlin has continued hacking operations targeting Kyiv during its continued invasion of the country, the United States remains susceptible to attack. Additionally, the possibility of a joint Iranian-Russian cyberattack could have significant security implications for the United States.

Maya Carlin is a Middle East defense editor at 19FortyFive. She is also an analyst at the Center for Security Policy and a former Anna Sobol Levy Fellow at IDC Herzliya in Israel. She has lines in numerous publications, including The National Interest, Jerusalem Post and Times of Israel.

Previous Ex-Israeli diplomat hopes 'strong allies' will help him in war with Iran
Next Israel hails grounding of Argentine plane with Iranian crew