Thamar Reservoir

Over the years, we’ve told the stories of quite a few phishing campaigns, such as Operation GhostShell and Operation Aurora, by APTs and similar threat actors. We usually talk about these sorts of campaigns as targeting businesses, defense contractors or government organizations – but really, when you stop to think about it, the actual targets of all phishing campaigns – the ones who literally get phished – are humans. And humans, you know, have feelings and emotions and all that fluffy stuff…

So, how does it feel to be the target of a bonafide nation-state phishing campaign? I don’t mean your common spray-and-pray phishing campaign of the sort we’re used to seeing in our mailboxes. I’m talking about a persistent, years-long campaign, targeting yourself and well as your friends, family and professional colleagues. Phishing attempts on every conceivable platform, from emails to social media to your workplace. How does it feel to live for YEARS, feeling like you have a target mark on your back?…

Thamar Gindin is an Israeli scholar whose research focuses on the Persian language.

“[Thamar] I’m a linguist. I have a PhD in Iranian linguistics. I gave some summer schools in Germany, in Hamburg, where students, linguistic students from Iran came to study the history of the Persian language.”

But Thamar’s interests go much further than simply the language spoken in Iran, modern-day Persia. She’s been enamored with Persian culture since she was in High-school.

“[Thamar] I learned their language, I learned their cooking. Still not very good with desserts, even though it’s been almost three decades. And music, I like Iranian rock better than Iranian classical music. […] And I do my best to show the Israelis the rich culture of Iran, the rich culture and heritage. And to make sure that Israelis know everything about Iran, I also show the face of Israel to Iranians. But I am an Iran expert, not an Israel expert.”

Thamar has a very active Facebook account, where she often gets messages from her followers and colleagues around the world – including, occasionally, Iranian scholars and students. One such scholar reached out to her via Facebook Messenger in 2011.

“[Thamar] When he first contacted me, he said he wants to do joint research with the Esri Center in Haifa University for Iran and Persian Gulf research, where I am a research fellow. And he wants to do a linguistic research comparing Hebrew and Persian. I’m sorry, there’s nothing to compare. I mean, if you compare a lot of languages, Hebrew and Persian can be two of them. But you don’t compare Hebrew with Persian. It’s like comparing. I don’t know. Bananas and sofas. […] And I said, I can’t collaborate with you because you’re in Iran and it’s dangerous for you. I don’t want to take it on my conscience that that you would be arrested and tortured.”

Thamar’s concern for the man’s safety was probably justified: on several occasions in the past, the Iranian authorities arrested people which were accused of being Israeli spies. The two countries, who were close allies back in the 1960s and 70s, became bitter enemies after the 1979 Islamic revolution that culminated with the overthrowing of the ruling monarch, the Shah, and the establishment of a radical Islamic republic.

Thamar assumed that her rejection would end their conversation, but a few months later she received a new message from the Iranian scholar, who told her that –

“[Thamar] I left Iran and moved to Yerevan in Armenia. And now you have to come meet me because I did it only for you. And you’re my best friend and like, whoa. I didn’t say I will collaborate with you if you move out. I said I won’t collaborate with you as long as you’re in. It’s not the same thing.”

At the time, Thamar assumed that this supposed ‘Iranian scholar’ was just a random Internet weirdo. It never occurred to her that the person or persons she was conversing with was an Iranian Intelligence agent – or why he was trying to get her to travel to Yerevan, a town barely 20 miles from the Armenian-Iranian border. It was only much later, when the whole affair blew up, that –

“[Thamar] I asked some experts what could they want if I had said yes. It could have been anywhere from sending me a link – “Your ticket is on the drive” and then just, you know, again, trying to phish for my credentials. Or it could have been sending me a real ticket and anywhere from kidnapping to recruiting as their, you know, informer. I didn’t want to check wisely. Yeah, I have three children. I like them to have a mom as long as possible.”

As you might imagine, Thamar’s fascination with Iran is somewhat uncommon in Israel, and so her deep familiarity with the Persian language and culture made her into a sought-after guest in the Israeli media – and even non-Israeli media. That is why, one day in May of 2015 –

“[Thamar] I got a phone call from London, which I didn’t answer because I was in class or something. And also because I really hate phone calls and I had a secretary to take those calls at that time. And I didn’t answer the call. And the message I got was from Amin from BBC Farsi in London. […] [He] called and wanted to schedule an interview.”

This request wasn’t a total surprise for Thamar, since she had already interviewed for BBC Farsi – a Persian language subsidiary of the BBC World Service – in the past, and her previous appearances were quite successful with the Persian-speaking audience.

She missed the phone call, but later that same day –

“[Thamar] I did get an email saying we were the BBC Farsi and we want to interview you and we want to invite you to London, which is also not unheard of because there was a real interview that they wanted to invite me to their studio.”

But then Thamar noticed something…strange…about the email.

“[Thamar] The sender’s name was “Salam Hanoumi Doktor”. Hello, Miss Doctor. […] But it’s an awkward name, obviously not a human name. It doesn’t make sense. Right.”

This weird mistake – writing ‘Hello Miss Doctor’ instead of the actual sender’s name – raised Thamar’s suspicions.

“[Ran] How proficient were you in identifying phishing emails, you know, these kinds of scams that that kind of circulate in emails?
[Thamar] Very.”

The email included a link.

“[Thamar] And the questions we want to ask are attached on Google Drive. […] I clicked on the link and I saw a sign in page, a Google sign in page. And then I looked at the address and I saw it was something like ‘userslogin.com’.
[Ran] So the URL of the login page wasn’t what you were expecting.
[Thamar] Was not Google, right.”

And there was another strange thing about the Sign In page: the fact that it was there in the first place – because Thamar was already logged in to her Google account.

“[Thamar] I saw that I wasn’t logged out because why should I be logged in? If I’m logged in, my drive should just appear.”

Thamar tried to reply to the email, and as she half-expected to discover, the reply address wasn’t an official BBC email address, but a random gmail one. She was now convinced that it was a phishing email – and yet, at this point in time, it still didn’t occur to her to wonder why the supposed scammers targeted her through an organization she already had a relationship with.

The next morning –

“[Thamar] I got another email, this time from Weizmann University.”

The Weizmann Institute is a renowned Israeli academic Institute. Note that last word: “Institute.”

“[Thamar] And Weizmann is not a university. No one says Weizmann University except people who don’t know Weizmann. So this was the first, you know, red flag.”

With yesterday’s phishing attempt still fresh in her memory, Thamar was now more cautious.

“[Thamar] And then I got in and Weizmann University decided to open an Iran forum for diplomats, researchers, politicians, activists. And I look at the source, it was really sent from Weizmann “University” Institute servers. Yeah, both the email and the site that I was directed to were on the Weizmann servers.”

Although it seemed that the email was sent from a legitimate server belonging to the Weizmann Institute itself, Thamar was still suspicious. She figured this was yet another attempt to get her to send the attacker or attackers her Gmail login credentials. So when she was asked to enter her credentials in yet another sign-in page –

“[Thamar] And this time I gave them a password. I wrote in Hebrew “Some lie.””

Thamar was toying with her attacker: she literally entered the words “Some Lie”, in Hebrew, in the password field. It’s a reference to a comedy sketch from the Israeli equivalent of Saturday Night Live.

“[Thamar] And then I got the message that you were just given the two factor authentication. So what’s the number you got? Of course, I didn’t get any MFA because I didn’t give them the right password.”

She forwarded the email she received to a friend of hers who was working at Google at the time.

“[Thamar] And I said, oh, I got this email. And he saw that there were numbers on the top and he tried to change the numbers and we got sign in pages for all sorts of Israeli politicians. I think Elazar Stern was there. I think Danny Nave was there. So we understood that something was going on.”

Elazar Stern and Danny Nave are two well known Israeli politicians. It was then that Thamar realized that what she was actually dealing with was not an ordinary phishing scam: it was a massive spear-phishing campaign directed at prominent Israeli public figures – including, it seemed, herself.

Going over the names of the other victims of the campaign, she noticed that many of them were experts on Iran or Persian culture, a fact which hinted at the possible identity of the assailants: Iranian hackers, or maybe even the Iranian Intelligence. Thamar decided to post a public warning about the campaign.

“[Thamar] I also posted that to Facebook, not the sign in page for the other people, but the fact that I got it. And then on that day, one of my friends posted on Rotter: an Israeli forum, like a news forum. I don’t know what to call it… like a civil news agency. Who is after the Iran experts with my screenshots?”

The post on Rotter drew the attention of Clearsky, an Israeli cybersecurity company with a rich history of exposing Iranian attacks on Israeli media organizations. A representative of Clearsky contacted Thamar.

“[Thamar] And they asked me for the sources and to research it.”

Thamar, who by that point was unwilling to trust anyone, checked with a few of her friends to make sure that the Clearsky representative was indeed who he said he was.

“[Thamar] And I have a lot of friends who know them because I have a lot of friends and high tech and a lot of I was in the army like everyone. So I have people who know them. So I know they’re good. They took my computer to check it.”

It seemed that the hackers, whoever they were, made a poor choice when they decided to add Thamar Gindin to their list of targets. It turned out that she was shrewd and knowledgeable enough to spot all the tiny mistakes that gave the attack away.

Or so she thought.

“[Thamar] I thought I was smart, but I was only smart to a certain extent.”

“[Thamar] The penny fell one afternoon when I was on my afternoon beauty sleep before taking my son from kindergarten.”

Four days after the previous phishing attempt, Thamar received an alert from Google.

“[Thamar] I checked my email and I see there was a sign-in to an to a deserted account of mine. So it’s not an account I use. […] it was some email that I long deserted because it turned into a spammery. […] But even though I don’t use it anymore, it woke me up like I just sat up straight and, whoa, what’s going on? So that was the first scare.”

Thamar’s attackers were able to gain access to an old email account of hers – but how? She was certain she managed to foil all of her foes’ phishing attempts.

Thamar hardly had time to ponder this mystery, when a new notification chimed on her phone.

“[Thamar] And then when I was on the way to pick my son up from kindergarten, I walked by foot.
And I got another email from the secretary of the Ezri Center in Haifa University. […] And it wasn’t her Haifa University email. It was a Gmail with her Haifa username […] But it’s OK, because when you send an email to the Hebrew University, you get an answer from Gmail. It’s a forwarding only address. So I explained to myself that maybe she gets her emails in the university from the university email, but when she sends from home, she sends it from Gmail. It didn’t raise any suspicion, but she said, I really liked your interview here. It was a VOA interview in Persian from a few years before. And I know that now, but when I clicked it, it just said you have to sign in. And I was like, whoa, whoa, no, no, no, no, no, no.”

“[Thamar] I called the secretary and she said, no, I didn’t send it.”

“[Thamar] So the first thing I did was tell the secretary, please write to all your, you know, to all your contacts not to open emails from this address.”

It was then that Thamar learned that –

“[Thamar] Meir Javdan Far, one of our colleagues and personal friends, also got an email from this address two weeks ago. […] And didn’t open it because he realized it was a scam.”

“[Thamar] So I asked him to send me the email and I look at the email and I’m like, oh, my God, I opened it. I got the same email.”

That email, sent from the secretary’s compromised email account, was a reply to a previous correspondence that Thamar was a part of: that is why she never suspected any foul play.

But if so, how did Meir figure out that the email was a scam? Well, it all boils down to pure luck. The email included an attachment, a Microsoft Excel spreadsheet, along with a message – in Hebrew – asking the recipient to fill the attached form. Hebrew, unlike English, is a gendered language, meaning that many verbs have two forms: Masculine and Feminine. Whoever wrote the message wasn’t versed enough in Hebrew, and so made a grammatical mistake.

“[Thamar] So it said, ‘I’m sorry, you have to fill this form, too.’ “I’m sorry” was in the masculine, and “you have to” was in the feminine.”

Meir, being male, immediately noticed the error and became suspicious – but Thamar, for whom the grammar was – accidentally – correct, had no reason to suspect anything was out of order. She opened the attachment.

“[Thamar] And the Excel said “enable macro in order to see the contents”, which is something now I never do. But then I didn’t know better. I enabled the macro. It showed me a form I had already filled.”

Thamar was baffled that the secretary would send her again a form she had already filled before, but figured it was a simple mistake. So she thought nothing of it, and promptly forgot about the incident – until two weeks later, when she got a notification from Google about her old junk account being hacked. It was Clearsky, the cybersecurity company, which supplied the last piece of the puzzle: when its researchers scanned Thamar’s computer, they found a keylogger installed on it.

“[Thamar] And actually, when I enabled the macro, it downloaded a file with I think it was either ASCII or UTF-8 or something that spells a PowerShell or a script that goes to us to a C&C server and downloads malware. So the malware that was on my computer at that time, which Clearsky found, was a keylogger, which means everything I had typed in the past two weeks, they got.”

This included, apparently, the login credentials for the junk email account – and also the credentials to Thamar’s daughter gmail account, which was also hacked and its interface was changed from Hebrew to Persian. The only reason Thamar’s main gmail account wasn’t hacked in the same way was because she had Multi Factor Authentication enabled on it, whereas the other two accounts weren’t similarly protected.

Clearsky’s investigation of the attack, published in a report titled ‘Thamar Reservoir’ – named after the vigilant linguist – concluded that,

“Several characteristics of the attacks have led us to the conclusion that an Iranian threat actor is the likely culprit. We assume, though do not have direct evidence, that it is being supported by the Iranian regime, or performed by the Regime itself.”

The report revealed that the spear-phishing campaign targeted some 550 people, mostly academic researchers and practitioners in the fields of counter-terrorism, diplomacy, Journalists and Human Rights activists. Most of the victims were from Saudi Arabia, another rival of the Iranian regime, and roughly 15% were from Israel. Clearsky also found clear similarities between this attack and a few others carried out by what is probably the same threat actor, such as a 2014 spear-phishing campaign against a different Israeli target. Both attacks utilized malware-laced Excel spreadsheets and fake Google Sign-In pages. Investigation into the supposed Weizmann Institute “Iran Forum” revealed that the attacker hacked a virtual folder belonging to one of the institute’s researchers, and used it as part of their phishing campaign.

Clearsky also discovered that the Thamar Reservoir campaign probably began as early as 2011. It was this revelation that made Thamar realize that the Iranian scholar who messaged her, trying to get her to travel to Armenia, was in fact not some creepy Internet crackpot – and that this wasn’t the only attempt to lure her away from Israel.

For example, in 2013 she received yet another Facebook message. This time from a female Iranian student.

“[Thamar] There was another one who presented herself as a student of Hebrew in Turkey, Iranian student of Hebrew in Turkey. She wanted to translate my book to Persian, “The Book of Esther Unmasked”, which is the one that’s also published in English. […] And I sent her a sample. She didn’t translate it well at all. But, you know, she started like being my friend and inviting me to places and she wanted to invite me to lecture in Turkey. And at that time, her messenger messages also became more “I want to invite you to Turkey because it will be a great pleasure and a great honor for me to have you as my guest.” […] She wants to invite me on her expense because her father is a very, very rich carpet trader.”

A Trip to beautiful Turkey, all expenses paid?… Sounds amazing, right? Except –

“[Thamar] And then she said, ‘I have a friend in Hungary who said he had an excellent Hebrew teacher. Is that you?’ And I’m like, do you know who you’re talking to? I was a Hebrew teacher in the 1990s, but it’s not even why you approached me!
[Ran] It’s like maybe two different people were communicating or conversing with you.”

“[Thamar] I can identify a person’s idiolect. Idiolect is like the personal language that defines a person. And especially if they write in Penglish: Penglish is Persian and English letters. And because it has no convention, each person writes it a little bit differently.”

“[Thamar] And then the weirdo also wrote to me that he wants me to come to this conference on his account and be his guest because he’s a speaker. And he used the same language!
[Ran] It’s the same person.”

Further investigation by ClearSky revealed that the supposed student’s profile picture was actually a picture of a Russian model.

Amazingly, the uncovering of their phishing campaign didn’t convince Thamar’s attackers to end their attempts – even after ClearSky released an official report about the Iranian campaign.

“[Thamar] There was one day, I think it was on 2017, that I got like six or seven phishing emails that were all the same and all very clearly phishing emails. I immediately sent them to my contact in ClearSky and then I saw that before I told him, he told me that there’s a phishing campaign going on right now. “

To make it harder for the Iranians to phish them, Thamar and her colleagues update each other on any new phishing attempts.

“[Thamar] it’s like a network that whenever one of your friends gets targeted, you can inform them, if they’re if they haven’t been hacked already.”

Thamar tries to take these constant attempts lightly, making fun of her attackers – like this relatively recent phishing attempt.

“[Thamar] I got an email from my dear colleague and friend. It’s almost three decades that we’re friends. And I really love him, but we’re just friends. I got an email from him saying, ‘Can you help me understand what they say on this tweet?’ Now, I know that Ran Tzimet doesn’t speak Persian, but he understands everything. And I know it because I interviewed him once and we only had to translate what he said. We didn’t have to translate the questions.
[Ran] He understands.
[Thamar] He understands everything. He follows all Persian, all Iranian media, all speeches. And I also saw that it wasn’t exactly his email address. So I wrote to them: “Oh, darling, you know that I like helping you understand better than just giving you the solution. So tonight when we meet, I will help you understand it and I’ll ask you questions. And last night was amazing.…”

But looking through the smiles and the jokes, one can still get a sense of the heavy emotional toll these unceasing phishing attempts have on Thamar.

“[Ran] We’re laughing, right? But you’ve been under constant attack for the past seven years now, at least. How does that make you feel?
[Thamar] On one hand, I’m a little bit paranoid. I’m very cautious, very, very cautious. I don’t go abroad. I consulted with people who know a thing or two about security. And they said – we recommend you don’t go to conferences when or summer schools with your name on the schedule. So what’s the point? And don’t go to conferences or summer schools where Iranians are also present. I’m an Iranist. There’s no such thing as going to conferences without Iranians.

And I know that most of my friends, I think all of my personal friends are OK. But first, you can never know. And if they’re bad, both virtual and real, if they’re bad, it’s dangerous for me. If they’re good, it’s dangerous for them, because once I am a target and I am followed, they would want to see who I meet. So I don’t want to do that to them.

[Ran] So you’re saying basically that now that I’ve contacted you and we’ve spoken over WhatsApp, whatever, I’m a target as well.

[Thamar] I don’t know. I don’t know if they’re in my phone. The basic assumption, my work assumption is that they’re everywhere. So, for example, when my kids go abroad, they don’t send me pictures until they leave the place where they took pictures in. And when they’re going abroad, when my kids go for a trip abroad, we say they’re going to we have like. OK, we have like a keyword. We say they’re in Turkey or in Antalya. And it doesn’t matter where they are in the world. We always say Turkey. And I went abroad very few times, only on personal events. I never posted it to Facebook before, only when I went to the States, because the States is considered safer than Europe. […] I didn’t take my computer. I didn’t take my phone. I borrowed a phone and I bought a temporary SIM card in the post office or a local SIM card. And I borrowed someone else’s computer or when we went to England, we bought my daughter a computer that we got there. So I’m very cautious not to travel with devices that may indicate my place.”

The fact that Thamar has managed to elude her attackers for such a long time, is first and foremost due to her quick thinking and attention to detail – but also because, well…as luck would have it, the Iranians who tried to phish her were simply not very good at it. Their numerous grammatical mistakes and clumsy handling of the Facebook Messenger conversations gave them away almost each and every time.

That’s why, ironically, Thamar gets stressed when a few months go by without a new phishing attempt.

“[Thamar] Every time my colleugtes get a phishing attempt and I don’t, I get stressed out because I said maybe they maybe they’re already…Yeah, you got one and you don’t know. Yeah. No, maybe maybe they’re not after me because they’re already inside. So that’s very stressful. I’m always happy to get phishing emails to let me know that I’m still in the clear.”

“[Ran] OK, so I’m guessing…I think it’s a reasonable guess that your attackers are now listening to this show, because they’re getting information and they want to know what to try next. They’re probably listening. So let’s tell them something. I would ask you to tell them a message: first in Persian, so that they understand – and then in English for us.
[Thamar] Wow. OK.”

Thamar’s first message was, as befitting her joyful personality, not that serious.

“[Thamar] There’s one message I write on Facebook everytime I have some encounter with some Israeli government office. I write – Dear spies, please tell your seniors you don’t have to do anything. Israel will wipe itself off the map.
[Ran] [Laughing] Just with bureaucracy.”

Her second message was a bit more optimistic.

“[Thamar] I know that you only do your job, which I also do my job. And for me, it’s really like a game. You are very good players. I really like to play with you. I hope that one day we can play other games with each other. I know that you’re only doing your job and I’m only doing my job. And I like you. I think like we’re playing a game and I hope that one day we can play normal games.”

Latest episodes

Thamar Reservoir

Hosted By

Ran Levi

Co-Founder, PI Media

Special Guest

Thamar Eilam Gindin

An Iranist, a bridge-builder, an eye-opener.