The Federal Office for the Protection of the Constitution (BfV) has issued a warning about a cyberattack targeting Iranian dissident groups and individuals within the country. The attack is attributed to the Iran-linked Advanced Persistent Threat (APT) group known as Charming Kitten, which has also been referred to as APT35, Phosphorus, and Newscaster Team. This group gained notoriety in 2014 for orchestrating an extensive online espionage campaign, primarily using social media, as described by experts.
Microsoft has been monitoring Charming Kitten’s activities since at least 2013, with evidence suggesting their cyberespionage efforts date back to 2011. The group’s targets include journalists, activists, and organizations in the Middle East, as well as entities in the United States, the United Kingdom, Israel, Iraq, and Saudi Arabia.
In 2022, multiple IT security service providers reported on Charming Kitten’s involvement in investigating and targeting Iranian opposition figures and exiles. The BfV alert indicates that cyberattacks were directed primarily at dissident organizations and individuals, such as lawyers, journalists, and human rights activists, both within and outside Iran.
Charming Kitten’s modus operandi involves leveraging social media for information gathering and executing social engineering attacks. The hackers establish contact with their victims using fabricated personas, building rapport and trust. This relationship is exploited to compromise the targets. Subsequently, the victims receive messages containing links to online chat platforms, which lead to phishing pages.
The phishing process unfolds in several stages. First, a seemingly innocuous contact is established, often referencing people or topics known to the victims. Then, through social engineering tactics, the attackers manipulate and convince the victims to act in a way that compromises their security. Finally, an invitation to an online video chat is sent, requiring victims to click on a link. By entering their login credentials on the provided page, the victims inadvertently grant the attackers access to their online accounts.
“Through the social engineering carried out in advance, Charming Kitten can establish a seemingly harmless contact in a targeted manner, in that the group refers to people who are known to the victims or addresses topics that seem logical to the victims.”
Technical details about Charming Kitten’s tactics, techniques, and procedures (TTPs) were outlined in a 2022 report by CERTFA (Computer Emergency Response Team in Farsi), an anonymous group monitoring cyberattacks by Iranian threat actors targeting global Iranian citizens.
Intelligence agencies express concern that Iranian dissidents under surveillance by the Tehran government could face life-threatening consequences, as the regime may resort to lethal measures against these individuals.