The Federal Office for the Protection of the Constitution (BfV) is warning that an alleged nation-state actor targeted Iranian dissident organizations and individuals in the country.
The intelligence agency attributes the attack to the Iran-linked APT group Charming Kitten (aka APT35, Phosphorus, Newscaster, and Ajax Security Team).
The Charming Kitten group made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Microsoft has been tracking the threat actors at least since 2013, but experts believe that the cyberespionage group has been active since at least 2011 targeting journalists and activists in the Middle East, as well as organizations in the United States, and entities in the U.K., Israel, Iraq, and Saudi Arabia.
“In 2022, several IT security service providers reported on the APT group1 Charming Kitten2, which is said to be involved in investigating Iranian opposition figures and Iranian exiles.3 The cyber attacks were primarily aimed at dissident organizations and individuals – such as lawyers, journalists and Journalists or human rights activists – inside and outside of Iran.” reads the alert published by the BfV.
The cyber spies used social media to gather information on the targets and as a vector for social engineering attacks. The state-sponsored hackers used false personals to get in touch with the victims and establish a relationship that allowed them to compromise their targets.
Once established a rapport with the victims, the hackers sent them messages containing a link to an online chat that leads to a phishing page.
“In the second step, personal contact takes place, during which the victim is manipulated through social engineering and misled with false promises to behave in a way that is critical to security. As a third step, once the conversation has established itself, the attacker sends an invitation to an online video chat. In order to participate in the video chat, the victim must click on the link sent by the attacker. In the login mask, the victims enter their login data and allow the attacker to access the online services they use.” continues the report. “Through the social engineering carried out in advance, Charming Kitten can establish a seemingly harmless contact in a targeted manner, in that the group refers to people who are known to the victims or addresses topics that seem logical to the victims.”
The TTPs associated with the Iran-linked APT group were detailed in a report published in 2022 by CERTFA (the ‘Computer Emergency Response Team in Farsi’), an anonymous collective that monitor the attacks conducted by Iranian cybercriminals and nation-state actors targeting Iranian citizens around the world.
Intelligence officers believe that Iranian dissidents tracked by the government of Teheran could be killed by the regime.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Iran)