14 July 21, 11:45
(This post was last modified: 14 July 21, 11:46 by silversurfer.)
Quote:An Iran-linked advanced persistent threat (APT) group has taken a scholarly bent with its latest phishing campaign, which involves lengthy chats with professors, think tank higher-ups and journalists focused on Middle Eastern affairs.
The threat actor is Charming Kitten – aka a number of names, including TA453, APT35, Ajax Security Team, NewsBeef, Newscaster and Phosphorus. It’s an ever-evolving APT, and this is one of its more sophisticated campaigns, according to what Proofpoint researchers reported on Tuesday.
Not that the aims of this APT actor have been modest in the past. For example, in March, Charming Kitten launched a credential-stealing campaign that targeted genetic, neurology and oncology professionals.
Charming Kitten has also been tied to attacks on President Trump’s 2020 re-election campaign. In October 2019, researchers reported that the actor had added new spearphishing techniques to its arsenal in what appeared to be a ramp-up of operations. Security researchers who tracked the earlier phase of the campaign in October 2018 saw attacks tailored to elude two-factor authentication in order to compromise email accounts and to monitor communications.
The current campaign includes masquerading as British scholars; engaging in dialogue with targets; and linking to the website of a legitimate, world-class, already compromised academic institution in order to harvest credentials.
Proofpoint has named the campaign Operation SpoofedScholars and has linked it to the Iranian government, with the intention of what researchers believe is cyberespionage. This is “an APT who we assess with high confidence supports Islamic Revolutionary Guard Corps (IRGC) intelligence collection efforts,” according to the report.
This is a limited, “highly selective” campaign that, according to Proofpoint telemetry, is targeting fewer than 10 organizations. Charming Kitten is after people who have “information of interest to the Iranian government, including, but not limited to, information about foreign policy, insights into Iranian dissident movements, and understanding of U.S. nuclear negotiations,” according to the report.
This is a wash, rinse and repeat situation: The threat actor has previously targeted most of the targets identified by Proofpoint, they said.
Read more: 'Charming Kitten' APT Siphons Intel From Mid-East Scholars | Threatpost