Cyber Incident Victim: Israeli Government
Date:
Dec 2004
Location:
Israel
Summary
A sophisticated cyber espionage campaign, attributed to Iranian actors and named Infy, targeted Israeli entities and a U.S. government organization through spear phishing emails containing malicious documents. The malware, delivered via compromised Israeli email accounts, employed evasion techniques such as delayed activation until system reboot, then harvested sensitive data including keystrokes, browser credentials, and cookies for exfiltration to command-and-control infrastructure. The operation demonstrated sustained refinement over years, incorporating regional targeting tactics and adapting to new technologies like the Microsoft Edge browser. Evidence from infrastructure analysis, including domain naming patterns and server locations, pointed to Iranian involvement, with the campaign focusing on governmental, commercial, and even domestic targets for intelligence collection while maintaining a low profile to avoid detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Infy cyber espionage campaign, identified by Palo Alto Networks in 2016, represented a decade-long operation with origins potentially dating to 2004. Researchers first detected the activity after intercepting spear phishing emails sent from a compromised Israeli Gmail account in 2016. These emails contained malicious Word and PowerPoint documents targeting an Israeli industrial organization and a US government recipient. Attackers concealed malware behind PowerPoint's 'Run' button functionality, triggering an executable that installed persistent DLL components through registry autorun modifications. The malware remained dormant until system reboot, after which it conducted antivirus checks before establishing command-and-control (C2) communications. Post-activation routines included environment data collection, keystroke logging, and theft of browser credentials (passwords, cookies, and browsing content), with exfiltration to attacker-controlled servers. Analysis revealed infrastructure components dating to 2010, though malware samples traced back to mid-2007. The campaign demonstrated continuous technical evolution, including adaptations for newer software like Microsoft Edge browser.
Palo Alto Networks identified 12 dedicated C2 servers through forensic analysis of malware samples and network traffic patterns. WHOIS records and neighboring IP address geolocation pointed to Iranian involvement, with domain naming conventions suggesting individual operators and hosting resellers within Iran. The operation maintained an exceptionally low profile through precise geographic targeting, region-specific content customization, and limited victim scope—factors contributing to its prolonged undetected operation. Targets included multiple national governments, private sector organizations, and Iranian citizens, indicating intelligence-gathering objectives. Researchers characterized the campaign as state-aligned espionage based on targeting patterns, infrastructure artifacts, and the sustained development cycle spanning over a decade. No public disclosures regarding victim remediation efforts or operational disruptions were documented in the analyzed reporting period.