Iran-linked Charming Kitten espionage gang bares claws to pollies, power orgs
If you get email from 'Samantha Wolf', congrats: you're important enough to make a decent target
An Iranian cyber espionage gang with ties to the Islamic Revolutionary Guard Corps has learned new methods and phishing techniques, and aimed them at a wider set of targets – including politicians, government officials, critical infrastructure and medical researchers – according to email security vendor Proofpoint.
Over the past two years, the threat actor group that Proofpoint's researchers track as TA453 (other intel teams call this state-backed gang Charming Kitten, Phosphorus, and APT42) has branched out from its usual victims – academics, researchers, diplomats, dissidents, journalists and human rights workers – and adopted new means of attack.
While the group's past email campaigns often deployed web beacons tucked inside messages that ultimately led to stolen credentials, Proofpoint has observed "outlier" campaigns over the past couple of years that used "new-to-TA453 phishing techniques including compromised accounts, malware, and confrontational lures."
"Proofpoint judges with moderate confidence that this atypical activity reflects TA453's dynamic support to ad hoc Islamic Revolutionary Guard Corps (IRGC) intelligence requirements," Joshua Miller and Crista Giering wrote.
The gang's new targets and tactics also provide better insight into "TA453's potential support of IRGC surveillance and attempted kinetic operations," including murder for hire and kidnapping plots, according to Proofpoint.
In September, Google's Mandiant threat research biz also linked this cyber espionage group to Iran's IRGC, which has plotted to murder US citizens including former National Security Advisor John Bolton.
In addition to the cyber crime gang's ties to the IRGC, the Proofpoint researchers noted "with moderate confidence that the more aggressive activity could represent collaboration with another branch of the Iranian state, including the IRGC Quds Force."
Quds is the secretive arm of the IRGC that's responsible for its foreign operations and support of non-state actors like Hezbollah and Hamas. The US has designated both the IRGC and Quds Force as terrorist organizations.
Proofpoint's research also details some of the other "abnormal" for TA453 campaigns, including December 2020 attempts to phish medical professionals who research genetics, neurology and oncology in the US and Israel. That 2021 campaign targeted the email accounts of an aerospace engineer and medical researchers, using a social engineering impersonation technique called Multi-Persona Impersonation.
Such efforts see attackers use at least two personas on a single email thread to convince targets that they have sent legitimate messages.
Proofpoint also observed TA453 targeting "multiple" Tehran-based travel agencies with credential harvesting links. "The targeting of travel agencies is consistent with intelligence agency collection requirements of both the movement of Iranians outside of Iran along with domestic travel," the researchers wrote.
TA453's targets tend to be known enemies of the Islamic Republic, such as women, LGBTQ individuals, and US military officials. Proofpoint documents the miscreants using a Gmail address in a phishing campaign against a Florida-based realtor that was selling several homes located near the US Central Command headquarters, and sending phishing emails to gender and women's studies studies scholars at North American universities.
- Iran steps up its cybercrime game and Uncle Sam punches back
- Mandiant links APT42 to Iranian 'terrorist org'
- 77% of security leaders fear we're in perpetual cyberwar from now on
- Hacktivists say they stole 100,000 emails from Iran's nuclear energy agency
Some of the gang's newer email attack techniques include using compromised accounts (as opposed to TA453-controlled accounts) with URL shorteners like bnt2[.]live and nco2[.]live that redirected victims to TA453 credential harvesting pages.
"For example, in 2021, approximately five days after a US government official publicly commented on the Joint Comprehensive Plan of Action (JCPOA) negotiations, the official's press secretary was targeted via a compromised email account from a local reporter," according to the Proofpoint researchers.
Proofpoint and CheckPoint Research also document TA453 using GhostEcho malware – a newer PowerShell backdoor used to deliver additional spyware to targeted devices.
And in another noteworthy tactic, the cyber spies used the same fake persona – "Samantha Wolf" – in social engineering campaigns sent to US and European politicians and government entities, a Middle Eastern energy company, and a US-based academic. ®