Iran’s elite Islamic Revolutionary Guard Corps is accelerating efforts to hack into the accounts of U.S. and Western leaders, academics, and journalists focused on nuclear strategy and the Middle East — possibly as part of an effort to track former American officials Tehran has threatened to assassinate.
The attacks, described by the California security firm Proofpoint and a number of former U.S. officials suspected of being targets, have been carried out by the IRGC-affiliated hacking group Charming Kitten, and are seen as backing Tehran in its escalating standoff with the U.S. and Europe over Iran’s nuclear program and military support for Russia in the Ukraine war.
Joshua Miller, a Proofpoint senior threat researcher, and these former U.S. officials told Semafor that the IRGC is seeking to better understand and predict Western decision-making and diplomacy aimed at constraining Iran’s nuclear program. The Biden administration has said it’s prepared to resume formal talks, although Israel has said it’s willing to use military force to destroy Iranian nuclear sites.
But whereas earlier Iranian hacking efforts were mostly aimed at gathering intelligence and espionage, Miller says there’s evidence that Charming Kitten’s efforts are now also designed to support the IRGC’s global terrorism operations, including kidnapping and assassinations.
Iran has publicly vowed to kill a number of Trump-era officials — including former Secretary of State Mike Pompeo and one-time National Security Advisor John Bolton — whom it blames for the 2020 drone strike that killed Major Gen. Qassem Soleimani, commander of the IRGC’s international operations. The Department of Justice indicted IRGC leaders last year for an alleged plot to kill Bolton in Washington.
Miller told Semafor in an interview Monday that hacking the accounts of former U.S. officials could help the IRGC track their targets.
“Our assessment is that … the surveillance of someone close to your assassination target would make sense from an intelligence planning perspective,” he said. “We’re careful to say that we don’t see definitive proof. But we’ve seen enough that we were willing to publish.”
Charming Kitten and other Iranian cyber operators emerged in the 2010s as the U.S. and Israel initiated their own cyber-attacks on Iran and its nuclear infrastructure. The two countries’ use of a malware virus called Stuxnet, beginning in 2010, is seen as one of the first examples of states using cyber weapons to advance their national security strategies.
Iran, in turn received a huge boost for its cyber operations against the U.S. in 2013 when a former U.S. Air Force sergeant, named Monica Witt, defected to Tehran. The Department of Justice accused her in a 2018 indictment of carrying cyber targeting data to her Iranian handlers.
Since then, the U.S. government and cyber security firms have tied Charming Kitten to a string of strategic hacks, such as on American and Saudi Arabian banks and critical infrastructure, as well as to pure money-making endeavors like ransomware. (This included a 2017 hack of HBO in which the Iranian syndicate threatened to prematurely release Game of Thrones scripts.) The U.S. Treasury Department sanctioned the Charming Kitten network last September, outlining the Iranian tech companies and cyber operators who were supporting the IRGC.
Charming Kitten’s recent campaign against former U.S. officials and academics has largely focused on using fake email accounts and websites to lure in their prey. Proofpoint tracked bogus messages purportedly sent by Professor Karl Roberts of the Royal United Services Institute for Defense and Security Studies — a real person at a genuine organization. The former U.S. officials interviewed by Semafor described getting similar bogus outreach from often real individuals.
The U.S. and Iran have been in conflict since Islamist radicals seized power in Tehran back in 1979, with cyber operations being a middle ground short of actual combat. It just remains to be seen if this can be contained.
Charming Kitten’s cyber operations come as tensions between the Biden administration and Tehran remain high. In March, Iranian-backed militias in Syria killed an American defense contractor operating there. And the U.S. and Iran continue to engage in tit-for-tat seizures of oil tankers operating around the Persian Gulf. Last week, the U.S. Navy said it warded off an attempt by an Iranian warship to capture two oil-carrying vessels near Oman.
Any moves by the IRGC to make good on its threats to assassinate these former U.S. officials would likely breach a U.S. red line. Proofpoint’s reports on the IRGC collecting information on former officials and influential academics through Charming Kitten points in that direction.
The View From Tehran
Iran has been open about the fact that it’s in a cyber war with the U.S. and that Tehran’s rapidly advancing its capabilities in this battle. Senior Iranian officials have cited the U.S.-Israel Stuxnet attack as the first shot in this digital war.
“The United States started that cyber war, with attacking our nuclear facilities in a very dangerous, irresponsible way that could’ve killed millions of people,” former foreign minister Javad Zarif told NBC News in 2019. “So, there is a cyber war … and Iran is engaged in that cyber war. But any war that the United States starts, it won’t be able to finish.”
Room for Disagreement
The U.S. has publicly warned about the threat Iran poses to these former U.S. officials and political dissidents on American soil. But there remains uncertainty within the administration about whether the IRGC would actually go through with such targeted assassinations, knowing the potential repercussions.
Iran and its operatives haven’t executed a political hit in the U.S. since the time of the revolution. But their calculations could be shifting. The Booker Prize-winning writer Salman Rushdie, who has been the target of an Iranian death fatwa since 1989, was brutally attacked by a regime supporter last August in New York. And the Department of Justice in January indicted three men for plotting to kill the Iranian political activist Masih Alinejad in the U.S.
Borzou Daragahi of the Atlantic Council wrote in May about Iran’s uses of cyber capabilities to kidnap its political opponents globally.
The legacy of the joint-U.S.-Iran Stuxnet attack on Iran looms large.