Charming Kitten Targets High-Level US Government Employees and Israeli scholars
Note: We are reader supported and may earn a small commission when you click on links in posts
Charming Kitten, the Iranian state-sponsored threat actors, are using WhatsApp, LinkedIn, and spear phishing emails to contact targets. The victims are journalists, academia, high-level US government officials, and activists. The objective is to steal login credentials or to infect their computers with malware. The threat actors impersonate journalists, a typical tactic for Charming Kitten, to fool the targets.
Charming Kitten has increased its use of WhatsApp and LinkedIn to contact targets and establish a conversation. Previously the threat actors only used phishing emails and SMS text messages. This new tactic began last month. The attackers even use WhatsApp voice calls impersonating Persian speaking journalists to establish trust.
“In the past few months, it seems that Charming Kitten has expanded its target list, adding the Baha’i community, high-ranking American civil servants and officials (including ambassadors and former employees of the US State Department),andCOVID-19 related organizations such as Gilead and WHO. In the current campaign, we identified attempts to attack Israeli scholars (targeting their institutional email account), and US government employees,” says a report by cyber security researchers at ClearSky.
ClearSky security analysts reported two phishing campaigns – one impersonating Deutsche Welle journalists and the other impersonating Jewish News journalists. Charming Kitten’s favorite media organizations to impersonate include Germany’s Deutsche Welle public broadcasting company and the Los Angeles-based Jewish Journal magazine.
Charming Kitten Phishing
This month, the hackers changed their approach to include the use of WhatsApp and LinkedIn. The threat actors contacted victims with a spear phishing email but only attempted to start a dialogue. In this new variation, Israeli researchers from Haifa and Tel Aviv Universities were targeted.
Posing as journalists, Charming Kitten extends an invitation to the targets to participate in a webinar that covers topics that are likely of interest to them. The email asks for the target’s contact information but does not contain malicious links. If the target shares their phone number, the threat actor moves the conversation to a WhatsApp voice call.
If the target does not share their phone number, then the attacker sends messages to them using LinkedIn.
Next the victim is invited to attend a webinar. If they don’t respond to the invitation to join the webinar, error the temptation is increased by offering to feature them as a speaker. The link to register for the webinar sends the victim to a legitimate but compromised Deutsche Welle (dw[.]de) web page. Each target is tracked with a link that is tailored to their individual email account.
The victim is prompted to sign up using their University email address. The malicious web page harvests their MS Outlook credentials.
APT35 – Charming Kitten
Charming Kitten, also known as Advanced Persistent Threat Group 35, APT35, Phosphorous, or Ajax. They are a state-sponsored group of hackers that work at the behest of the Iranian government. Typical targets include Iranian academia experts, human rights activists, and journalists. These threat actors typically use email or SMS text messages to send phishing messages to their victims.
In July, Charming Kitten accidentally exposed videos related to the group’s hacking and training activities.
Although APT35 is making its first foray into LinkedIn phishing, other Iranian state-sponsored hackers have used the platform to target Americans. Advanced Persistent Threat Group 24, aka Refined Kitten, attempted to trick LinkedIn users into downloading malware with a fake profile.