Iran-Linked Hackers Pose as Journalists for Email Scam

A woman uses a laptop on April 3, 2019, in Abidjan. - According to the figures of the platform of the fight against cybercrime (PLCC) of the national police, nearly one hundred crooks of the internet, were arrested in 2018 in Ivory Coast, a country known for its scammers on …

A hacker group linked to the Iranian government, named Charming Kitten, has posed as journalists and attempted to trick victims into divulging passwords and other security information, Reuters reported on Wednesday.

Charming Kitten, whose criminal history dates back to around 2014, appears to primarily target academics and journalists of Iranian or Israeli extraction, or members of those professions whose work covers Iran extensively. Its operatives often impersonate real media figures who attempt to trick targets into logging onto suspicious websites to conduct online interviews, participate in webinars, or sign digital contracts.

Charming Kitten operatives have impersonated reporters for organizations such as CNN, the Wall Street Journal, and Germany’s Deutsche Welle. The group has pretended to represent Iranian media operations, or have simply invented false journalist identities.

Would-be victims interviewed by Reuters and the Wall Street Journal described the hackers as “sloppy,” prone to buttering up their targets with wildly excessive flattery or making simple mistakes that suggest they did not research the subjects carefully before approaching them. 

The hacker group’s link to the Iranian government was established with the 2019 indictment of Behzad Mesri, who the FBI accused of working with three other Iranians to recruit a former U.S. Air Force intelligence specialist and defector named Monica Elfriede Witt as a spy. 

Mesri and his co-defendants were also accused of hacking attempts against current and former agents of the U.S. government, using information provided by Witt. Mesri was further accused of hacking cable television channel HBO and stealing unaired episodes of several programs, prompting prosecutors to crib a famous line from Game of Thrones and quip that “winter has come” for the Iranian hacker.

A report from Israel’s ClearSky Cybersecurity corporation in late 2017 described Mesri as a contractor for the Iranian military. The report cited social media posts made under his hacker alias, Skote Vahshat, that suggested he was a member of Charming Kitten as well as a higher-profile cyber gang called the Turk Black Hat Security Team.

Cybersecurity analysts believe the Charming Kitten hackers work as contractors for Iranian intelligence, rather than being fully sworn-in officers of the Islamic Revolutionary Guard Corps (IRGC). The group works under several other aliases, including Phosphorus, Ajax Security Team, and NewsBeef. Like Mesri, some members appear to work with other hacking groups in addition to the Charming Kitten operation.

As with Mesri’s HBO hack, some of their operations look like side hustles intended to line their pockets, rather than Iranian intelligence operations. They have dabbled in all sorts of cybercrime, using everything from emails to test messages, impersonating everyone from friends of their targets to security agents working for big social media companies. 

Charming Kitten has a long history of going after cyber-security researchers, including the aforementioned ClearSky. In late 2019, the group is believed to have tried hacking an email account used by U.S. President Donald Trump’s re-election campaign.

Their attacks often have the same clumsy style noticed by the latest round of intended victims. On one occasion, Charming Kitten operatives claimed to be an attractive female journalist eager to send photos of herself to intelligence agents before offering them an interview, provided they disabled all of their antivirus software so they could view the photos.


Please let us know if you're having issues with commenting.