Charming Kitten Campaign involved new impersonation methods

Iran-linked APT group Charming Kitten employed new spear-phishing methods in attacks carried out between August and September.

Security experts at ClearSky analyzed attacks recently uncovered by Microsoft that targeted a US presidential candidate, government officials, journalists, and prominent expatriate Iranians. Microsoft Threat Intelligence Center (MSTIC) observed the APT group making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts.

ClearSky researchers pointed out that these attacks represent a shift in the group tactics because this is the first time that the Charming Kitten group attempted to interfere in the elections of a foreign country.

The experts said, with medium-high confidence, that the campaign uncovered by Microsoft is the same campaign they observed over the past several months.

“We evaluate in a medium-high level of confidence, that Microsoft’s discovery and our findings in our previous and existing reports is a congruent operation” reads the report published by ClearSky, “based on the following issues:

  • Same victim profiles
  • Time overlapping
  • Similar attack vectors”

Iran-linked Charming Kitten group, (aka APT35, PhosphorusNewscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.

Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011.

As part of the recently observed campaign, the state-sponsored hackers used three different spear-phishing methods:

  • Ending an email message leveraging social engineering methods.
  • Impersonating social media websites, such as Facebook, Twitter and Instagram, as well as using these social media to spread malicious links. Experts also has observed a few social media entities that used social media to contact their victims in order to trick them into visiting malicious websites.
  • Sending SMS messages to the cellular phone of the victim. The messages include a link and claim to inform the recipient of an attempt to compromise their email account. The link points to a malicious phishing website.

Experts have identified more than eight new and unknown domains, all of which bear the ‘.site’ TL, that were involved in the attacks.

Other technical information, along with indicators of compromise (IoCs) are included in the report.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X