Threats Feed|TA453|Last Updated 25/07/2024|AuthorCertfa Radar|Publish Date30/03/2021

BadBlood Campaign: TA453 Targets US and Israeli Medical Research Professionals

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Spear Phishing
  • Attack Complexity: Low
  • Threat Risk: Low Impact/High Probability

Threat Overview

In late 2020, the Iranian-nexus threat actor TA453 launched a credential phishing campaign called BadBlood, targeting senior medical professionals in genetic, neurology, and oncology research in the United States and Israel. The campaign deviates from the group's usual activity and may indicate a shift in TA453's targeting priorities. The attackers used spearphishing emails with links to a fake OneDrive site to harvest user credentials, potentially to exfiltrate email contents or use compromised accounts for further phishing campaigns.

Reference and Credit: Proofpoint - March 2021

BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns

Detected Targets

TypeDescriptionConfidence
CaseCongressional Research Service
The Congressional Research Service is a public policy research institute of the United States Congress. Operating within the Library of Congress, it works primarily and directly for members of Congress and their committees and staff on a confidential, nonpartisan basis. Congressional Research Service has been targeted by TA453 with abusive purposes.
Verified
CaseEuropean Council on Foreign Relations
The European Council on Foreign Relations is a pan-European think tank with offices in seven European capitals. Launched in October 2007, it conducts research on European foreign and security policy and provides a meeting space for decision-makers, activists and influencers to share ideas. European Council on Foreign Relations has been targeted by TA453 with abusive purposes.
Verified
CaseHouse of Commons Library
The House of Commons Library is the library and information resource of the lower house of the British Parliament. It was established in 1818, although its original 1828 construction was destroyed during the burning of Parliament in 1834. House of Commons Library has been targeted by TA453 with abusive purposes.
Verified
SectorHealthcare
High
SectorScientific Research
High
RegionIsrael
Verified
RegionUnited States
Verified

Extracted IOCs

  • 1drv[.]casa
  • 1drv[.]cyou
  • 1drv[.]icu
  • 1drv[.]live
  • 1drv[.]online
  • 1drv[.]surf
  • 1drv[.]xyz
  • zajfman.daniel@gmail[.]com
  • 1drv[.]casa/s/afghjkfjelmtfzxsxsgkdsjh1
  • 1drv[.]cyou/b/auqwu1zewrw5
  • 1drv[.]icu/b/auqwu1newrw1
  • 1drv[.]surf/b/auqwu1newrw9
  • 1drv[.]xyz/b/auqwu1newrw1/
download

Tip: 13 related IOCs (0 IP, 7 domain, 5 URL, 1 email, 0 file hash) to this threat have been found.

About Affiliation
TA453
View TA453's Insights