The Iranian-based hacker group TA453, also known as “Charming Kitten” and “Phosphorus”, targeted 25 senior professionals specializing in genetic, neurology, and oncology research-based in Israel and the US in 2020

The report released by cybersecurity firm Proofpoint could not say what the hackers were planning to do with the data obtained in the course of the cyber campaign dubbed BadBlood, but noted that “Phosphorus” used credentials harvested in earlier attacks to extract emails and use compromised accounts in new cyber operations.

Proofpoint cited outside reports linking “Phosphorus” to the Iranian government and its Islamic Revolutionary Guard Corps (IRGC), but stressed it could not “independently attribute TA453 to the IRGC”. The cybersecurity company also noted that it could not “conclusively determine the motivation” of the hackers involved in the BadBlood campaign.

Proofpoint said the techniques used to target the American and Israeli medical researchers in the 2020 attack were consistent with previous tactics used by “Phosphorus”, but the group had never before conducted operations against such individuals.

The cybersecurity company said TA453 had historically targeted “[Iranian] dissidents, academics, diplomats, and journalists”, but suggested the BadBlood campaign could have been “a specific short-term intelligence collection requirement”. Proofpoint added that a cyber campaign targeting Israeli individuals would also be “consistent” with geopolitical tensions between Israel and Iran, which intensified in 2020.