Charming Kitten hacker group which is believed to be backed by Iranian government employed new spear-phishing methods in a recent campaign aimed against individuals of interest to Iran, a ClearSky’s report revealed.
The researchers believe that observed attacks are part of a campaign recently exposed by Microsoft aimed at a U.S. presidential candidate, government officials, government officials, journalists covering global politics and prominent Iranians living outside Iran. As a result of this campaign four accounts got compromised, out of a total of 241 that were targeted, Microsoft said. These spear-phishing attacks were conducted by Charming Kitten (aka APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus) in August and September 2019.
“Until these days, Iran was not known as a country who tends to interfere in elections around the world. From a historical perspective, this type of cyber activities had been attributed mainly to the Russian APT groups,” ClearSky’s team noted.
The researchers believe with a medium-high level of confidence that Microsoft’s findings and recently observed campaign are related to each other based on several aspects: same victim profiles (in both cases the victims were individuals of interest to Iran); time overlapping (ClearSky researchers observed an escalation of the attacks in July-August 2019, Microsoft mentioned that the attacks occurred on in a 30-day period between August and September); similar attack vectors (both campaigns were leveraging spear-phishing attacks).
As part of the newly observed campaign, the group employed three different spear-phishing methods, specifically, password recovery impersonation, spear-phishing emails, and spear-phishing via SMS messages. The impersonation vector involved a message with a link pretending to arrive from Google Drive or from a colleague’s email address. The attackers used social engineering techniques in order to fool victims into exposing their login credentials.
“Another social engineering technique is to identify the Google Site from which the victim was directed and to pair the phishing page with its (the site's) email. In other words, the victim receives an email from the attacker with a link which was prepared for them personally. Identifying the attack – at the address line, the victim's email appears, and if it will be changed, the email presented at the site will change as well,” the researchers explained.
The second vector used SMS messages containing a link and a warning about attempts to compromise the recipient’s email account. Like in the previous case, the link directs to a URL shortening service leading to a malicious website attempting to steal the victim’s credentials.
The third attack vector used a fake unauthorized login attempt alert, claiming that someone from North Korea attempted to compromise the victim's Yahoo mail. The message includes the IP address of the alleged intruder and a button which the victim needs to push to secure their account.
The fourth attack vector involved social network impersonation - the hackers have created fake sites for Instagram, Facebook, Twitter, Google, and the National Iranian-American Council in order to steal login credentials.
While in the past the Charming Kitten has been known to repeatedly target Yahoo accounts, since 2017 the threat actor has switched its focus on Google accounts instead. But, as the researchers discovered, it appears that the hackers once again has returned to targeting Yahoo accounts and impersonating Yahoo services.