An Iranian state-backed hacking group is spear-phishing cybersecurity and computer science experts in Israel.
Charming Kitten (aka APT42, Educated Manticore, Mint Sandstorm) is a decade-plus-old advanced persistent threat (APT) associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), a military organization designed to protect the Iranian regime, which reports directly to the Ayatollah.
As part of its mandate, IRGC is known to deploy hacker groups to spy on governments both friendly and unfriendly to the Islamic Republic, as well as individuals outside and inside of Iran. In recent days, for example, Charming Kitten has been playing its role in the regime’s war with Israel by spear-phishing prominent Israeli academics and experts in the cybersecurity and computer science fields, according to Check Point Research (CPR).
Iran Spying on High-Profile Israelis
Charming Kitten is the right threat actor to attempt a campaign like this. For years now, it has used spear-phishing to infect senior officials, experts, and other influential individuals working in the research, public policy, media, government, and military sectors.
The way the attacks work, first, is that members present themselves as some kind of relevant persona — a journalist, researcher, or some other kind of important individual. In this latest campaign, Charming Kitten has been playing employees of cybersecurity companies, with characteristically Jewish-seeming names and other personal details, according to CPR. The hackers email targets, or more often write to targets via WhatsApp. The WhatsApp strategy perhaps might be to either elicit quicker responses, evade email filters, or lend the messages legitimacy if they had known the target’s phone number.
The lures are written in clear English, and personalized to some extent based on whom they are targeting. In the following example, the threat actor ironically references breaking research on cyber threats to Israel from Iran.
Source: Check Point Research
“The actor here did a good information collection job, because they knew how to approach each person — who would likely be somehow connected to them, know their name, and their company affiliation, and already has their number but is also not a close friend,” says Sergey Shykevich, threat intelligence group manager at CPR.
To avoid raising alarms, the attackers do not include any sort of malicious link or attachment in their initial overture. Instead, they request meetings with victims — opportunities to collaborate, share insights, etc. In at least one case, the attackers even requested an in-person meeting in Tel Aviv. Whether this was just a superficial tactic or the operation truly did extend beyond cyberspace is unclear.
The point is to gain trust before asking for a victim’s email address. Then, finally, the attacker sends a phishing link, leading to a credential phishing page with the email field already filled in, for added realism.
Some meeting invitations add an extra layer of verisimilitude by directing targets to a static page mimicking a Google Meet lobby. Victims who click anywhere on the page are redirected to another page mimicking Google’s authentication process.
Though subtle in some ways, “they are very quick, and very aggressive in conversation — especially talking with WhatsApp — urging the target to click the link. So, in most cases, the attack is either a success or failure within a day or two. And then either way, they just continue to the next target and stop using the same domain,” Shykevich explains. The speed with which Charming Kitten cycles through infrastructure may pose a challenge for those tracking their indicators of compromise (IoCs).
Cybersecurity Experts Targeted
The primary targets of this latest campaign are experts in the computer science and cybersecurity fields, particularly from academia. Shykevich posits that “it could be part of a retaliation. There are assumptions that Israel physically damaged some cybersecurity units and [infrastructure] in Iran. And cybersecurity experts are high-profile people in some cases — I think many people assume that some of them are also connected to national cyber operations.”
“And it’s a very good type of target to show off to journalists, if you are successful,” he says. Per that point: Besides computer experts, Charming Kitten also appears to be going after journalists. Just a few days before the time of writing, one journalist publicly disclosed having been targeted in an attack that closely aligned with the group’s latest tactics, techniques, and procedures (TTPs).
Though it’s not clear how many individuals have been targeted in all, and whether any of them were ultimately compromised, CPR was able to identify more than 100 domains and subdomains comprising Charming Kitten’s current campaign infrastructure. “We assume that each one is for one target, though maybe in some cases they’re used for more than one for one target. So we assume that there are dozens of different targets, at least,” Shykevich says.
He adds, “We also assume that the campaign likely is much wider [than we’ve seen]. Because of the scale of the infrastructure, there are likely more sectors and maybe even there are targets in other countries besides Israel, based on the history of this actor generally.”
