Hackers believed to be associated with Charming Kitty has ramped up their activities with a phishing campaign against American officials charged with enforcing economic sanctions imposed on Iran by President Trump.
Citing research from Certfa, which discovered an open server listing Gmail and Yahoo email addresses in the hackers’ sights, AP said that the Iranian hacking group targeted private emails a handful of Treasury Department officials as well as others opposed to and supportive of the Iran nuclear deal forged during the Obama administration.
“In this campaign, hackers have targeted individuals who are involved in economic and military sanctions against the Islamic Republic of Iran as well as politicians, civil and human rights activists and journalists around the world,” according to a Certfa blog, detailing its findings.
After a tip from a Twitter user alerted Certfa to the address accounts[-]support[.]services, a domain Certfa said “is linked to a group of hackers who are supported by the Iranian government, and that we believe have close ties with the Islamic Revolutionary Guard Corps (IRGC),” the cybersecurity company discovered that a month after initial activity was noted administrators of account“expanded their activities and started targeting civil and human rights activists, political figures and also Iranian and Western journalists.”
While the hackers used VPNs to obscure their locations, their real IP addresses from Iran were used as they prepared for the campaign. The domain names and servers are similar to those of Charming Kitten, who have seemingly sharpened their focus on U.S. and Israeli citizens.
“Iran and all nation-states have been hacking each other for decades and we can expect it to continue in an aggressive fashion,” said Israel Barak, CIO at Cybereason. “We are in an era of new spying, one dominated by advancements in technology where cyber spies rule this type of world the same ways spies did during the cold war battles between nations.”
The pattern of operation detailed by Certfa “certainly fits the profile of previous activities by Iranian actors,” said Barak, noting the campaigns and operations are likely ongoing. “The data suggests that Iran has been engaged in these activities for a long time and have recently accelerated them.”