Iranian cyber espionage highlights human element

An Iranian state-backed hacking group known as Charming Kitten has launched a campaign aimed at compromising the email accounts of US officials, according to data gathered by UK-based security firm Certfa.

The cyber espionage campaign appears to be in response to renewed US economic and military sanctions on Iran after US president Donald Trump tore up a nuclear reduction deal with Iran in May, reports Associated Press, which drew on Certfa data tracking Charming Kitten’s attempts to break into the email accounts of US Treasury officials tasked with enforcing the sanctions.

Also targeted were email accounts belonging to high-profile defenders, detractors and enforcers of the nuclear deal between the US and Iran, Arab atomic scientists, Iranian civil society figures and Washington think-tank employees, according to AP.

The campaign was uncovered when Certfa researchers found a list of target email accounts that Charming Kitten had left on one of its servers that was open to the internet.

The researchers were able to recover a list of 77 Gmail and Yahoo addresses targeted by the hackers that they handed to AP for further analysis.

According to Certfa researchers, the cyber espionage campaign relied on phishing to steal email account passwords, with some phishing emails reportedly mimicking Gmail security alerts to trick recipients into entering their account passwords.

Charming Kitten also created websites with the same design and look of a Google Drive file-sharing page, and pretended to be sharing a file with the targeted individuals, the Certfa researchers found.

The group used hacked Twitter, Facebook and Telegram accounts to send these links and target new users. When the targets tried to access the shared file, they were directed to the fake Google login page to trick them into entering their credential details including two-factor authentication.

Phishing attacks are the most common form of infiltration used by Iranian state-backed hackers to gain access to accounts, Cerfa said in a report on Charming Kitten’s activities.

The hackers design specific plans for each target based on the level of targets’ cyber knowledge, their contacts, activities, working time and geographic situation, the report said.

Certfa researchers noted that, unlike previous phishing campaigns, in some cases the hackers did not change the password of their victims’ accounts.

“This allows them to remain undetected and monitor a victim’s communications via their email in real time,” the researchers said.

Israel Barak, chief information security officer at security firm Cybereason, said news of the cyber espionage campaign should be no surprise to anyone.

“Iran and all nation-states have been hacking each other for decades and we can expect it to continue in an aggressive fashion,” he said. “We are in an era of new spying, one dominated by advancements in technology where cyber spies rule this type of world the same ways that spies did during the Cold War battles between nations.”

Barak said the pattern of operation that is described in Certfa’s research fits the profile of previous activities by Iranian actors.

“Furthermore, there is a lot of evidence that these types of campaigns and operations never stopped and never slowed down,” he said. “The data suggests that Iran has been engaged in these activities for a long time and has recently accelerated them.”

According to Barak, phishing scams continue to be a very common tactic because they are still proving to be an effective way into networks.

“Phishing is very successful because it takes advantage of one of the weakest links in the security chain, which is the unsuspecting user,” he said. “Phishing takes advantage of the user’s judgement on whether to click a link or open a web page, and often there is no air-tight mechanism in place to prevent this.

“At the end of the day, users are bound to open the doors to the enterprise network to threat actors and it’s about having mechanisms in place to allow organisations to further inspect and to get a better feel for the user activity that opens the door to criminal activity.”

Reducing the risk from users fits within an enterprise’s security programme, said Barak. “The biggest question is how we can use technology to prevent threat actors from being allowed into corporate networks by unsuspecting employees,” he added.

“Today, machine learning and behavioural analysis technologies are proving effective in identifying these abnormalities in cases where humans fail to see the facade of something that turns out isn't benign at all.”

In the light of their findings, the Certfa researchers published a list of recommendations, including that organisations should:

• Stop using two-factor authentication by plain text message.
• Start using security keys for two-factor authentication.
• Inform employees about any phishing threats and encourage them to use security keys.
• Always use company and institution email accounts instead of personal email for sensitive data.
• Use email encryption such PGP for sensitive emails.
• Stop storing sensitive information as plain text in mailboxes.