Iranian Hackers Using LinkedIn, WhatsApp to Target Victims'Charming Kitten' Threat Group Continues Impersonating Journalists
"Charming Kitten," a hacking group with ties to the Iranian government, is now using LinkedIn and WhatsApp messages to contact potential victims in order to build trust and persuade them to visit a phishing page, according to security firm ClearSky.
The campaigns, which began in July, attempt to target Israeli academic scholars as well as U.S. government employees through messages and WhatsApp calls that supposedly come from Persian-speaking journalists working for well-known media organizations, the report notes. The hackers created fake WhatsApp and LinkedIn profiles of journalists.
By personalizing the campaign and using these social media platforms, the attackers attempt to gain the victims' trust and coax them into opening the malicious links embedded in follow-up emails, according to the report.
Charming Kitten, also known as APT35, Phosphorous and Ajax, is one of Iran's top state-sponsored hacking groups. While the group's tactic of impersonating journalists is not new, ClearSky researchers say the latest campaigns are the first time the threat actors used mediums other than email or SMS to target their victims (see: Fraudsters Pose as Journalist in Phishing Campaign: Report).
"This is the first time we identified an attack by Charming Kitten conducted through WhatsApp and LinkedIn, including attempts to conduct phone calls between the victim and the Iranian hackers," the researchers note in the report. "These two platforms enable the attacker to reach the victim easily, spending minimum time in creating the fictitious social media profile. However, in this campaign, Charming Kitten has used a reliable, well-developed LinkedIn account to support their email spear-phishing attacks."
ClearSky analysts uncovered two phishing campaigns that impersonated journalists working for legitimate news organizations.
In one campaign, the attackers posed as an Iranian journalist working with Deutsche Welle - a German broadcasting company, the report notes.
This campaign attempted to target researchers in Haifa and Tel Aviv Universities in Israel by sending messages to the victims inviting them to take part in a Deutsche Welle webinar on Iran.
The first set of messages, however, did not contain any malicious links. Instead, the attackers urged the victims to share their contact numbers for a briefing over a WhatsApp call on the details of the event, the report notes.
"If the victim is not willing to share their personal phone number, the attacker will send him a message from the fake LinkedIn account," the report notes. "This message will contain a promise that the webinar is secured by Google."
In the next stage of the attacks, the hackers send the victims a malicious link hosted on the legitimate Deutsche Welle domain, requesting that they sign up to attend the webinar by using their email accounts.
When the victims click on the Microsoft Outlook option, they are redirected to a phishing page and malicious domain that then attempts to harvest their credentials, the report notes.
"If the victim enters their correct password, they are sent to a [two-factor authentication] page," the report notes. "A wrong password produces an error message. The attackers will then pressure the victim to try again using their university email."
Deutsche Welle confirmed the reporter never contacted the victims and clarified that the purported webinar was a hoax, according to ClearSky.
In the other campaign, the attackers mimicked another journalist working for the Los Angeles-based Jewish Journal, according to ClearSky. In this case, the hackers made up a fake LinkedIn profile of "Marcy Oster" and attempted to contact potential victims in the same way.
Since the campaign largely targeted academics who were familiar with Charming Kitten's activities, the ClearSky report notes most of the phishing attempts were unsuccessful.
Charming Kitten Activities
Charming Kitten has been targeting journalists and activists since at least 2013. Recently, the group has expanded its target list to include high-ranking American civil servants and officials as well as organizations working on COVID-19 issues, the report says.
In July, Charming Kitten accidentally exposed videos related to the group's hacking and training activities. These videos detailed the group's spear-phishing campaigns against U.S. Navy and State Department personnel (see: Iranian Hackers Accidentally Exposed Training Videos).
In June, researchers with Google found Charming Kitten hackers unsuccessfully targeted the presidential campaign offices of President Donald Trump (see: Google: Phishing Attacks Targeted Trump, Biden Campaigns).