An Iranian cyber espionage group known as Charming Kitten is believed to be behind a campaign targeting academic researchers, human rights activists, media outlets and political advisors focusing on Iran, according to a report published earlier this week by Israel-based threat intelligence company ClearSky Cyber Security. The group has also set up a news outlet called The British News Agency to lure targets in.
Most of the group’s targets are in Iran, the U.S., Israel and the U.K., the report said, but some come from countries including France, Germany, Switzerland, Denmark, India, Turkey and the United Arab Emirates.
The report detailed the various methods used to gain access to computers and private social accounts. Those include false identities, the impersonation of real companies, the insertion of malicious code into a breached website, also known as “watering hole attacks,” and spear phishing, the process of pretending to be service providers like Gmail or Facebook to trick people into giving out personal information.
A significant mainstay of the group’s activity was the establishment of a media outlet called The British News Agency. Much effort went into creating a seemingly legitimate website, including details about the agency and a contact list of the management team. The purpose of the site was to attract the targets and infect them with malware.
The scope and systemic character of the attack reveal that it’s not a private venture, said Head of Threat Intelligence at ClearSky Eyal Sela in an interview with Calcalist, and the threat intelligence community is quite sure Charming Kitten is only one of several such groups that are linked to the Iranian regime.
The attack was not made for financial gain, said Mr. Sela: “not one person hacked suffered financial damage. The identity of the attacked—human rights activists and people with political ties—does not support the thesis that the campaign is connected to criminal groups.”
The real purpose of the attack is to ferret out information about Iranian dissenters, said ClearSky CEO Boaz Dolev in an interview with Calcalist. “They want to know who the researchers are talking to,” he said, adding that the targets’ contact lists serve as a list of traitors. “They want to know who in Iran is in contact with such people out of the country.”
According to the report, multiple Israeli researchers of Iran and the Middle East were sent emails and Twitter direct messages from accounts registered with seemingly Jewish Israeli names. Messages coming from one such account were presented as if coming from a journalist and political researcher at KNBC News. Other messages were presented as if coming from an Israeli political researcher raised in California who needed help with an article and also wanted to apply for a position at an Israeli university. Another message was described as coming from a Jewish girl living in Iran. These messages often linked to phishing pages.
ClearSky cannot estimate how many accounts were successfully infiltrated, but the success rate for such attacks is usually around 10%, said Mr. Dolev.
ClearSky reports also point out a connection between Charming Kitten and Behzad Mesri, also known as “Skote Vahshat,” the Egyptian citizen indicted by the FBI for hacking into HBO and leaking episodes of several series, including Game of Thrones. According to the FBI, Mesri has been a member of an Iran-based hacking group called the Turk Black Hat security team at certain times.
According to ClearSky, Mr. Mesri follows entities connected to Charming Kitten on Twitter, and was in the Turk Black Hat group at the same time as a hacker called ArYaIeIrA, who now also appears in multiple domains owned by Charming Kitten. The report’s authors estimate “with medium certainty” the Mr. Mesri is directly connected to Charming Kitten, and potentially is part of Charming Kitten. D.C.-based Security researcher Collin Anderson previously hypothesized.
The Iranian attackers are active hackers noticed and recruited by the Iranian authorities, and not officially people recruited at a young age and then trained for the job said, Mr. Sela. That’s why they leave a public residue, like signatures in the websites they hack. Many of the group’s members are Facebook friends with Mr. Mesri, said Mr. Sela: “these are not people that approve every friend request. They have maybe 200 friends. They only confirm people they know.”