Iranian Hackers Update Spear-Phishing Techniques in Recent Campaign

The Iranian state-sponsored threat actor known as Charming Kitten employed new spear-phishing methods in a campaign observed in August and September, ClearSky’s security researchers report.

The attacks are related to a campaign Microsoft recently exposed as targeting a U.S. presidential candidate, government officials, media targets, and prominent expatriate Iranians. The campaign resulted in four accounts getting compromised, out of a total of 241 that were targeted.

“Until these days, Iran was not known as a country who tends to interfere in elections around the world. From a historical perspective, this type of cyber activity had been attributed mainly to the Russian APT groups,” ClearSky notes in their report (PDF).

Despite this lack of historical targeting of elections, the security researchers say, with medium-high confidence, that the attacks that Microsoft disclosed are part of the same campaign they observed over the past several months.

According to ClearSky, victim profiles are similar to those exposed by Microsoft, attack times overlap, and the same attack vectors were used in both campaigns, suggesting they are congruent.

Charming Kitten, a group also tracked as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus, has been active since at least 2011, targeting activists and journalists focusing on the Middle East, U.S. organizations, and entities located in Israel, the U.K., Saudi Arabia and Iraq.

As part of the newly observed campaign, ClearSky says, the group employed three different spear-phishing methods, namely password recovery impersonation, spear-phishing emails, and spear-phishing via SMS messages.

The first impersonation vector used was a message with a link pretending to arrive from Google Drive or from a colleague’s email address. Social engineering is used in an attempt to trick the victim into exposing their login credentials.

“Another social engineering technique is to identify the Google Site from which the victim was directed and to pair the phishing page with its (the site’s) email. In other words, the victim receives an email from the attacker with a link which was prepared for them personally,” ClearSky explains.

Another vector employed SMS messages containing a link and claiming to inform the recipient of an attempt to compromise their email account. Just as in the previous type of attack, the link directs to a URL shortening service leading to a malicious website attempting to phish for the victim’s credentials.

A third attack vector employed a fake unauthorized login attempt alert, where the intended victim is informed that a North Korean attacker tried to compromise their Yahoo email address and is asked to secure their account. Previously, the victim was informed that someone from North Korea changed their email recovery options.

The fourth attack vector employed recently by Charming Kitten was social network impersonation. In an attempt to grab login credentials, the attackers have created fake sites for Instagram, Facebook, Twitter, Google, and the National Iranian-American Council.

Although not new for Charming Kitten, the targeting of Yahoo accounts is something that the group hasn’t done for a couple of years. Since 2017, the hackers focused on Google accounts instead, but it seems they are now back again at targeting Yahoo accounts and impersonating Yahoo services.

Related: Iranian Hackers Said to Target Presidential Campaign

Related: Iran-Linked Malware Shared by USCYBERCOM First Seen in December 2016: Kaspersky