The Associated Press on Thursday reported a group of hackers linked to Iran attacked U.S. officials over the past month in an apparent effort to retaliate for sanctions imposed on Iran by the United States.
The AP cited data from Certfa, a cybersecurity firm based in London that has been tracking the activities of a hacker unit known as “Charming Kitten.”
The group specializes in phishing attacks, which employ phony emails and social media posts to trick the victims into disclosing security information such as account passwords or downloading viruses that allow hackers to access their computer systems. Charming Kitten’s phishing attacks largely consisted of fake alerts warning victims their account security has been compromised and luring them to realistic-looking fake websites where the victims would type their passwords in the mistaken belief they were accessing their accounts with legitimate providers such as Google.
Certfa’s investigation revealed Charming Kitten put a great deal of work into researching their targets to make the phishing emails appear convincing, and unlike most freelance hackers, they preferred to lurk unnoticed in compromised accounts rather than wreaking havoc. Most damning was Charming Kitten’s use of an email domain linked to the Iranian government and its Islamic Revolutionary Guard Corps (IRGC).
The group’s activities surged quickly as the tough round of U.S. sanctions went into effect in the fall. The Associated Press noted its target list included more than a dozen officials from the U.S. Treasury Department, in addition to “high-profile defenders, detractors, and enforcers of the nuclear deal struck between Washington and Tehran, as well as Arab atomic scientists, Iranian civil society figures and D.C. think tank employees.”
Among the latter group was Frederick Kagan of the American Enterprise Institute, who has written about Iranian cyber espionage. He told the AP he assumed the Charming Kitten attacks were at least partly about “figuring out what is going on with sanctions” and found the hacking campaign “a little more worrisome than I would have expected.”
Kagan said the phishing campaign looked more like the work of a “serious, state-backed operation” than freelance rogues. There was some disagreement between analysts in the AP piece and Certfa report about the professionalism of the campaign and how effective it was. Phishing is sometimes dismissed as a relatively crude technique, but on the other hand, Charming Kitten displayed an unnerving ability to target people with low public profiles whose email would be of interest to Iranian intelligence.
The Associated Press provided a few reasons to be worried about the IRGC’s cyber attack:
Iran has previously denied responsibility for hacking operations, but an AP analysis of its targets suggests that Charming Kitten is working in close alignment with the Islamic Republic’s interests. The most striking among them were the nuclear officials — a scientist working on a civilian nuclear project for Pakistan’s Ministry of Defense, a senior operator at the Research and Training Reactor in the Jordanian city of Ramtha, and a high-ranking researcher at the Atomic Energy Commission of Syria.
The trio suggested a general interest in nuclear technology and administration. Others on the hit list — such as Guy Roberts, the U.S. Assistant Secretary of Defense for Nuclear, Chemical, and Biological Defense Programs — pointed to an eagerness to keep track of officials charged with overseeing America’s nuclear arsenal.
“This is something I’ve been worried about,” Roberts said when alerted to his presence on the list.
The AP added that some of Charming Kitten’s targets were Iranian media employees, scientists, and even government officials linked to Iran’s own Department of Environment, “a possible sign that Tehran’s crackdown on environmentalists, which began earlier this year, continues apace.”